Package: libc6 Version: 2.13-38 Severity: minor When strtod receives a string starting with 'n', it will read 16 bytes regardless of the actual length of the string sent.
Example: $ echo "#include <stdlib.h> int main() { char buf[] = "no"; strtod(buf, NULL); } " > main.c $ gcc main.c $ LD_DEBUG=bindings ./a.out 2>&1 | grep strtod 25988: binding file ./a.out [0] to /lib/x86_64-linux-gnu/libc.so.6 [0]: normal symbol `strtod' [GLIBC_2.2.5] $ valgrind --track-origins=yes ./a.out ==123== Memcheck, a memory error detector ==123== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al. ==123== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info ==123== Command: ./a.out ==123== ==123== Conditional jump or move depends on uninitialised value(s) ==123== at 0x4EB5C71: __GI___strncasecmp_l (strcmp.S:243) ==123== by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585) ==123== by 0x40052E: main (in /net/home/borisc/test/a.out) ==123== Uninitialised value was created by a stack allocation ==123== at 0x40050C: main (in /net/home/borisc/test/a.out) ==123== ==123== Conditional jump or move depends on uninitialised value(s) ==123== at 0x4EB8197: __GI___strncasecmp_l (strcmp.S:2255) ==123== by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585) ==123== by 0x40052E: main (in /net/home/borisc/test/a.out) ==123== Uninitialised value was created by a stack allocation ==123== at 0x40050C: main (in /net/home/borisc/test/a.out) ==123== ==123== Use of uninitialised value of size 8 ==123== at 0x4EB8199: __GI___strncasecmp_l (strcmp.S:2257) ==123== by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585) ==123== by 0x40052E: main (in /net/home/borisc/test/a.out) ==123== Uninitialised value was created by a stack allocation ==123== at 0x40050C: main (in /net/home/borisc/test/a.out) ==123== ==123== Use of uninitialised value of size 8 ==123== at 0x4EB819D: __GI___strncasecmp_l (strcmp.S:2258) ==123== by 0x4E6B2F3: ____strtod_l_internal (strtod_l.c:585) ==123== by 0x40052E: main (in /net/home/borisc/test/a.out) ==123== Uninitialised value was created by a stack allocation ==123== at 0x40050C: main (in /net/home/borisc/test/a.out) ==123== ==123== ==123== HEAP SUMMARY: ==123== in use at exit: 0 bytes in 0 blocks ==123== total heap usage: 0 allocs, 0 frees, 0 bytes allocated ==123== ==123== All heap blocks were freed -- no leaks are possible ==123== ==123== For counts of detected and suppressed errors, rerun with: -v ==123== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 4 from 4) $ gcc -v Using built-in specs. COLLECT_GCC=gcc COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.7/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 4.7.2-5' --with-bugurl=file:///usr/share/doc/gcc-4.7/README.Bugs --enable-languages=c,c++,go,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.7 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.7 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --with-arch-32=i586 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 4.7.2 (Debian 4.7.2-5) -- System Information: Debian Release: 7.2 APT prefers testing APT policy: (500, 'testing'), (500, 'stable'), (500, 'oldstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.8-trunk-amd64 (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libc6 depends on: ii libc-bin 2.13-38 ii libgcc1 1:4.7.2-5 libc6 recommends no packages. Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.49 pn glibc-doc <none> ii locales 2.13-38 -- debconf information: glibc/upgrade: true glibc/disable-screensaver: glibc/restart-failed: glibc/restart-services: libraries/restart-without-asking: false -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org