https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95177
Martin Sebor <msebor at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |msebor at gcc dot gnu.org
--- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> ---
Calling toupper() or any other character classification function declared in
<ctype.h> with a negative value other than EOF is undefined. When char is a
signed type, using any value outside the 7-bit ASCII set runs the risk of
accessing the char classification array, commonly used to implement the
functions, outside its bounds due to sign extension. The Stack Overflow post
describes the technique in the abstract. An example of a real implementation
is Glibc (see for instance its __isctype macro in <ctype.h>).
Glibc uses casts or other conversions from char to a signed type before using
the character value which suppresses GCC's -Wchar-subscripts, but the problem
still exists.
To avoid the out-of-bounds access the argument to these functions should be
cast to unsigned char first. This is described in some detail in the CERT C
Secure Coding Standard rule STR37-C. Arguments to character-handling functions
must be representable as an unsigned char:
https://wiki.sei.cmu.edu/confluence/x/BNcxBQ.
