Hi Andy,

Andy Wingo wrote in
<https://lists.gnu.org/archive/html/bug-gnulib/2012-04/msg00000.html>:
> The following program causes a segfault in the unistring that is current
> in Debian sid:
> 
>     #include <unistr.h>
>     #include <stdio.h>
> 
>     int main (int argc, char *argv[])
>     {
>       int floral_leaf = 0x2767;
>       
>       printf ("floral leaf: %s\n", u32_to_u8 (&floral_leaf, 1, 0, 0));
> 
>       return 0;
>     }

This is normal documented behaviour. The function's description at [1]

   uint8_t * u32_to_u8 (const uint32_t *s, size_t n, uint8_t *resultbuf, size_t 
*lengthp)

is preceded by the general conventions explanation [2]:

   Functions returning a string result take a (resultbuf, lengthp)
   argument pair. If resultbuf is not NULL and the result fits into
   *lengthp units, it is put in resultbuf, and resultbuf is returned.
   Otherwise, a freshly allocated string is returned. In both cases,
   *lengthp is set to the length (number of units) of the returned string.
   In case of error, NULL is returned and errno is set.

In your program, the "Otherwise" applies, so:
   - A freshly allocated string is returned.
   - *lengthp is set to the length (number of units) of the returned string.

Since you pass lengthp == a null pointer, you provoke a null pointer
dereference.

PS: Bugs in libunistring should normally be reported to bug-libunistring,
    not to bug-gnulib. [3]

Bruno

[1] 
http://www.gnu.org/software/libunistring/manual/html_node/Elementary-string-conversions.html
[2] http://www.gnu.org/software/libunistring/manual/html_node/Conventions.html
[3] 
http://www.gnu.org/software/libunistring/manual/html_node/Reporting-problems.html


Reply via email to