Bug 201646 - glibc-2.7 crashes on sscanf("", "%as", &foo)
Bug#: 201646 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: toolchain@gentoo.org Reported By: vapier@gentoo.org
Component: Core system
URL:  http://sources.redhat.com/bugzilla/show_bug.cgi?id=5441
Summary: glibc-2.7 crashes on sscanf("", "%as", &foo)
Keywords:  
Status Whiteboard: 
Opened: 2007-12-08 02:50 0000
Description:   Opened: 2007-12-08 02:50 0000 
looks like glibc-2.7 crashes when using the allocation flag to scanf() and
reading of strings, and the input string is an empty string

got verification from various sources/arches ... here's the output on ppc

*** glibc detected *** ./a.out: munmap_chunk(): invalid pointer: 0xff9360a0 ***
======= Backtrace: =========
/lib/libc.so.6[0xfec0318]
/lib/libc.so.6(_IO_vfscanf+0x15bc)[0xfe9d16c]
/lib/libc.so.6(vsscanf+0x94)[0xfeae0b4]
/lib/libc.so.6(_IO_sscanf+0x84)[0xfea6c04]
./a.out[0x100004d0]
/lib/libc.so.6[0xfe5eb00]
/lib/libc.so.6[0xfe5ecc0]
======= Memory map: ========
00100000-00103000 r-xp 00100000 00:00 0                                  [vdso]
0fe40000-0ff9c000 r-xp 00000000 08:04 20889953                          
/lib/libc-2.7.so
0ff9c000-0ffac000 ---p 0015c000 08:04 20889953                          
/lib/libc-2.7.so
0ffac000-0ffb0000 r--p 0015c000 08:04 20889953                          
/lib/libc-2.7.so
0ffb0000-0ffb1000 rw-p 00160000 08:04 20889953                          
/lib/libc-2.7.so
0ffb1000-0ffb4000 rw-p 0ffb1000 00:00 0
0ffc0000-0ffdf000 r-xp 00000000 08:04 20889952                          
/lib/ld-2.7.so
0ffef000-0fff0000 r--p 0001f000 08:04 20889952                          
/lib/ld-2.7.so
0fff0000-0fff1000 rw-p 00020000 08:04 20889952                          
/lib/ld-2.7.so
10000000-10001000 r-xp 00000000 08:04 8921485                           
/usr/local/src/blackfin/svn/toolchain/branches/toolchain_07r1_branch/genext2fs/build/a.out
10010000-10011000 r--p 00000000 08:04 8921485                           
/usr/local/src/blackfin/svn/toolchain/branches/toolchain_07r1_branch/genext2fs/build/a.out
10011000-10012000 rw-p 00001000 08:04 8921485                           
/usr/local/src/blackfin/svn/toolchain/branches/toolchain_07r1_branch/genext2fs/build/a.out
10012000-10033000 rwxp 10012000 00:00 0                                  [heap]
f7fd5000-f7fd7000 rw-p f7fd5000 00:00 0
ff922000-ff938000 rw-p ffffffea000 00:00 0                              
[stack]
Aborted

------- Comment #1 From SpanKY 2007-12-08 02:50:54 0000 ------- 
test code:
int main() { char *path; return sscanf ("", "%as", &path); }

------- Comment #2 From SpanKY 2007-12-10 01:13:32 0000 ------- 
fixed in glibc-2.7-r1

------- Comment #3 From SpanKY 2007-12-10 01:15:04 0000 ------- 
http://sources.gentoo.org/gentoo/src/patchsets/glibc/2.7/0050_all_glibc-2.7-sscanf-as-BZ5441.patch?rev=1.1

------- Comment #4 From Norberto Bensa 2007-12-11 04:24:19 0000 ------- 
Is this fix the cause of samba, cups, and kopete (so far) crashing?

I'm currently re-emerging 2.7-r0, but I can make some tests if you guide me.

------- Comment #5 From Norberto Bensa 2007-12-11 04:39:05 0000 ------- 
Ignore my last message. Cups and Samba are crashing because of libgcrypt-1.4.0.