[PATCH] strtoul_ui: reject negative values

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

[PATCH] strtoul_ui: reject negative values

Matthieu Moy
strtoul_ui uses strtoul to get a long unsigned, then checks that casting
to unsigned does not lose information and return the casted value.

On 64 bits architecture, checking that the cast does not change the value
catches most errors, but when sizeof(int) == sizeof(long) (e.g. i386),
the check does nothing. Unfortunately, strtoul silently accepts negative
values, and as a result strtoul_ui("-1", ...) raised no error.

This patch catches negative values before it's too late, i.e. before
calling strtoul. We still silently accept very large integers that wrap
to a valid "unsigned int".

Reported-by: Max Kirillov <[hidden email]>
Signed-off-by: Matthieu Moy <[hidden email]>
---
So, here's a proper patch (I mean, a band-aid patch, but properly
send ;-) ).

It should be merged before Kartik's series (or inserted at the start
of the series) so that we get the fix before the test breakage.

 git-compat-util.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/git-compat-util.h b/git-compat-util.h
index f649e81..1df82fa 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -814,6 +814,9 @@ static inline int strtoul_ui(char const *s, int base, unsigned int *result)
  char *p;
 
  errno = 0;
+ /* negative values would be accepted by strtoul */
+ if (strchr(s, '-'))
+ return -1;
  ul = strtoul(s, &p, base);
  if (errno || *p || p == s || (unsigned int) ul != ul)
  return -1;
--
2.5.0.402.g8854c44

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] strtoul_ui: reject negative values

Marc Branchaud
On 15-09-17 10:37 AM, Matthieu Moy wrote:

> strtoul_ui uses strtoul to get a long unsigned, then checks that casting
> to unsigned does not lose information and return the casted value.
>
> On 64 bits architecture, checking that the cast does not change the value
> catches most errors, but when sizeof(int) == sizeof(long) (e.g. i386),
> the check does nothing. Unfortunately, strtoul silently accepts negative
> values, and as a result strtoul_ui("-1", ...) raised no error.
>
> This patch catches negative values before it's too late, i.e. before
> calling strtoul. We still silently accept very large integers that wrap
> to a valid "unsigned int".
>
> Reported-by: Max Kirillov <[hidden email]>
> Signed-off-by: Matthieu Moy <[hidden email]>
> ---
> So, here's a proper patch (I mean, a band-aid patch, but properly
> send ;-) ).
>
> It should be merged before Kartik's series (or inserted at the start
> of the series) so that we get the fix before the test breakage.
>
>  git-compat-util.h | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/git-compat-util.h b/git-compat-util.h
> index f649e81..1df82fa 100644
> --- a/git-compat-util.h
> +++ b/git-compat-util.h
> @@ -814,6 +814,9 @@ static inline int strtoul_ui(char const *s, int base, unsigned int *result)
>   char *p;
>  
>   errno = 0;
> + /* negative values would be accepted by strtoul */
> + if (strchr(s, '-'))
> + return -1;

I think this is broken, in that it doesn't match strtoul's normal behaviour,
for strings like "1234-5678", no?

The test also doesn't work if the string has leading whitespace ("  -5").

>   ul = strtoul(s, &p, base);
>   if (errno || *p || p == s || (unsigned int) ul != ul)
>   return -1;

Hmm, but we check *p here, so IIUC it's an error if the string has any
trailing non-digits.  Weird.

                M.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] strtoul_ui: reject negative values

Matthieu Moy-2
Marc Branchaud <[hidden email]> writes:

>> --- a/git-compat-util.h
>> +++ b/git-compat-util.h
>> @@ -814,6 +814,9 @@ static inline int strtoul_ui(char const *s, int base, unsigned int *result)
>>   char *p;
>>  
>>   errno = 0;
>> + /* negative values would be accepted by strtoul */
>> + if (strchr(s, '-'))
>> + return -1;
>
> I think this is broken, in that it doesn't match strtoul's normal behaviour,
> for strings like "1234-5678", no?

The goal here is just to read a positive integer value. Rejecting
"1234-5678" is indeed a good thing. We already rejected it before my
patch by checking for p (AKA endptr for strtoul), as you noted below.

> The test also doesn't work if the string has leading whitespace ("
> -5").

Why? It rejects any string that contain the character '-', regardless of
trailing spaces.

>>   ul = strtoul(s, &p, base);
>>   if (errno || *p || p == s || (unsigned int) ul != ul)
>>   return -1;
>
> Hmm, but we check *p here, so IIUC it's an error if the string has any
> trailing non-digits.  Weird.

strtoul_ui is more defensive than strtoul, by design.

--
Matthieu Moy
http://www-verimag.imag.fr/~moy/
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] strtoul_ui: reject negative values

Marc Branchaud
On 15-09-17 11:34 AM, Matthieu Moy wrote:

> Marc Branchaud <[hidden email]> writes:
>
>>> --- a/git-compat-util.h
>>> +++ b/git-compat-util.h
>>> @@ -814,6 +814,9 @@ static inline int strtoul_ui(char const *s, int base, unsigned int *result)
>>>   char *p;
>>>  
>>>   errno = 0;
>>> + /* negative values would be accepted by strtoul */
>>> + if (strchr(s, '-'))
>>> + return -1;
>>
>> I think this is broken, in that it doesn't match strtoul's normal behaviour,
>> for strings like "1234-5678", no?
>
> The goal here is just to read a positive integer value. Rejecting
> "1234-5678" is indeed a good thing. We already rejected it before my
> patch by checking for p (AKA endptr for strtoul), as you noted below.
>
>> The test also doesn't work if the string has leading whitespace ("
>> -5").
>
> Why? It rejects any string that contain the character '-', regardless of
> trailing spaces.

Right, sorry.

>>>   ul = strtoul(s, &p, base);
>>>   if (errno || *p || p == s || (unsigned int) ul != ul)
>>>   return -1;
>>
>> Hmm, but we check *p here, so IIUC it's an error if the string has any
>> trailing non-digits.  Weird.
>
> strtoul_ui is more defensive than strtoul, by design.

Fair enough, just not what I expected from a function with that name.

                M.

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

Re: [PATCH] strtoul_ui: reject negative values

Junio C Hamano
In reply to this post by Matthieu Moy
Matthieu Moy <[hidden email]> writes:

> This patch catches negative values before it's too late, i.e. before
> calling strtoul. We still silently accept very large integers that wrap
> to a valid "unsigned int".

Is the last statement correct?  A very large long uint that wrap to
uint would not fit in long uint and you would get ERANGE, no?

> So, here's a proper patch (I mean, a band-aid patch, but properly
> send ;-) ).

Yup.

> It should be merged before Kartik's series (or inserted at the start
> of the series) so that we get the fix before the test breakage.

Which one of his series?

>
>  git-compat-util.h | 3 +++
>  1 file changed, 3 insertions(+)
>
> diff --git a/git-compat-util.h b/git-compat-util.h
> index f649e81..1df82fa 100644
> --- a/git-compat-util.h
> +++ b/git-compat-util.h
> @@ -814,6 +814,9 @@ static inline int strtoul_ui(char const *s, int base, unsigned int *result)
>   char *p;
>  
>   errno = 0;
> + /* negative values would be accepted by strtoul */
> + if (strchr(s, '-'))
> + return -1;
>   ul = strtoul(s, &p, base);
>   if (errno || *p || p == s || (unsigned int) ul != ul)
>   return -1;
--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Reply | Threaded
Open this post in threaded view
|

[PATCH v2] strtoul_ui: reject negative values

Matthieu Moy
strtoul_ui uses strtoul to get a long unsigned, then checks that casting
to unsigned does not lose information and return the casted value.

On 64 bits architecture, checking that the cast does not change the value
catches most errors, but when sizeof(int) == sizeof(long) (e.g. i386),
the check does nothing. Unfortunately, strtoul silently accepts negative
values, and as a result strtoul_ui("-1", ...) raised no error.

This patch catches negative values before it's too late, i.e. before
calling strtoul.

Reported-by: Max Kirillov <[hidden email]>
Signed-off-by: Matthieu Moy <[hidden email]>
---
Junio C Hamano <[hidden email]> writes:

> Matthieu Moy <[hidden email]> writes:
>
>> This patch catches negative values before it's too late, i.e. before
>> calling strtoul. We still silently accept very large integers that wrap
>> to a valid "unsigned int".
>
> Is the last statement correct?  A very large long uint that wrap to
> uint would not fit in long uint and you would get ERANGE, no?

Indeed. strtoul happily accepts negative values, but not overly large
ones.

I removed the sentence from the message. Actually, I think we are now
accepting exactly the right interval of values.

>> It should be merged before Kartik's series (or inserted at the start
>> of the series) so that we get the fix before the test breakage.
>
> Which one of his series?

kn/for-each-tag, which uses strtoul_ui for align:<num> and
content:lines=<num>.

 git-compat-util.h | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/git-compat-util.h b/git-compat-util.h
index f649e81..1df82fa 100644
--- a/git-compat-util.h
+++ b/git-compat-util.h
@@ -814,6 +814,9 @@ static inline int strtoul_ui(char const *s, int base, unsigned int *result)
  char *p;
 
  errno = 0;
+ /* negative values would be accepted by strtoul */
+ if (strchr(s, '-'))
+ return -1;
  ul = strtoul(s, &p, base);
  if (errno || *p || p == s || (unsigned int) ul != ul)
  return -1;
--
2.5.0.402.g8854c44

--
To unsubscribe from this list: send the line "unsubscribe git" in
the body of a message to [hidden email]
More majordomo info at  http://vger.kernel.org/majordomo-info.html