[LLVMbugs] [Bug 21321] New: locale scan-build triggers CERT MEM04 zero-length allocation error

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Mon Oct 20 21:59:16 PDT 2014 

http://llvm.org/bugs/show_bug.cgi?id=21321

            Bug ID: 21321
           Summary: locale scan-build triggers CERT MEM04 zero-length
                    allocation error
           Product: libc++
           Version: unspecified
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: All Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: stevemac321 at live.com
                CC: llvmbugs at cs.uiuc.edu, mclow.lists at gmail.com
    Classification: Unclassified

in <locale> __double_or_nothing line 2974 calls realloc; scan-build reports
that __new_cap can return zero which triggers the error.

>From N1225 (CERT)
"If the value of nsize in this example is 0, the standard allows the option of
either returning a null pointer or returning a pointer to an invalid (e.g.,
zero-length) object. In cases where the realloc() function frees the memory but
returns a null pointer, execution of the code in this example results in a
double free."

See N1570 (C99) 7.22.3 for collaboration:
If the space cannot be allocated, a null pointer is returned. If the size of
the space requested is zero, the behavior is implementation-defined: either a
null pointer is returned, or the behavior is as if the size were some nonzero
value, except that the returned pointer shall not be used to access an object.

Here is a proposed fix, although it might be naive because it assumes that
__new_cap is never intended to have a zero value.  

    _Tp* __t = nullptr;
    if(__new_cap != 0) // just add this check
        __t = (_Tp*)realloc(__owns ? __b.get() : 0, __new_cap);
    if (__t == 0)
        __throw_bad_alloc();

I applied this fix locally with a freshly synced libcxx.  There is a locale.cpp
source file, so I rebuilt the library with the patch.

I am on Ubuntu 14.4 x64
clang version 3.6.0 (trunk 217475)
Target: x86_64-unknown-linux-gnu
Thread model: posix

I am new to the project, so check my steps after syncing, I built the lib from
my build_libcxx 
make
sudo make install

I ran the all the tests under localization; first without the patch:
../testit 2>&1 | tee baseline.log

Then I applied my patch and rebuilt the lib and ran the localization tests
again:
../testit 2>&1 | tee patched.log

The results were exactly the same.  

Let me know if you have other questions
Steve MacKenzie
stevemac321 at live.com

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20141021/857c6043/attachment.html>

More information about the llvm-bugs mailing list