First, we should never check the size of __s if __l == 0 since the
array is not going to be modified in that case.
Second, negative __l is a well-defined error case (EINVAL) and we
should never trap on a conforming code like this:
r = getgroups(-1, NULL);
if (r == -1)
...
An example of non-desired behaviour for negative __l is the gnulib
configure script which checks for getgroups(-1, ...) to catch some
ancient FreeBSD kernel bug. The conftest binary traps even on good
system (e.g. linux/musl) and the unnecessary getgroups wrapper is
enforced for any project that uses gnulib.
This patch also changes the size_t cast to avoid the explicit zero
extension on systems where size_t differs from unsigned int.
This allows the compiler to optimize out the slow/trap path at all
for the typical correct code:
char buf[MB_LEN_MAX];
r = wctomb(buf, c);
The change tries to keep the "unknown object size" case handling in
wcrtomb() as is even if it seems redundant and not helping (we copy
__buf to possibly undersized __s in any case) and inconsistent with
wctomb() (where we let the original library method itself overwrite
the possibly undersized __s).
This allows the compiler to optimize out the slow/trap path at all
for the typical correct code:
char buf[PATH_MAX];
r = realpath(path, buf);
The change keeps the "unknown object size" case handling intact.
A few important notes:
* __extension__ is a GNU C "alternate" keyword, not a C++ keyword.[1]
* __extension__ is designed to work on "expressions"; it does work on
#include_next in C mode, but it has no effect in C++ mode; the
warning will still appear, if enabled, even with __extension__
preceding #include_next. This is because #include_next is not
considered an expression in C++, so the compiler attaches
__extension__ to the first expression of the header.
All of this leads us to a build failure while building at least all
Mozilla software. Moz has an alternate -isystem dir searched before
/usr/include that overrides some headers, including <features.h>. The
first statement in each of these headers is a #pragma, and since
__extension__ is looking for an expression, and #pragma is a "null"
expression, we end up with the following error:
dist/system_wrappers/features.h:1:9: error: '#pragma' is not allowed here
Since __extension__ has no effect on #include_next in C++ mode anyway,
and since it can cause breakage, this commit omits __extension__ in C++
mode.
[1]: https://gcc.gnu.org/onlinedocs/gcc-6.4.0/gcc/Alternate-Keywords.html
The POSIX definition of wcrtomb
(http://pubs.opengroup.org/onlinepubs/9699919799/functions/wcrtomb.html)
states:
"When wc is not a valid wide character, an encoding error shall occur.
In this case, the function shall store the value of the macro [EILSEQ]
in errno and shall return (size_t)-1; the conversion state shall be
undefined."
The fortify-headers implementation of wcrtomb interprets the result -1
as 18446744073709551615 bytes. Since this is the highest 64-bit number
possible, it is pretty safe to say this will always be larger than any
buffer provided to wcrtomb. Therefore, it traps.
Fixes bug https://bugs.alpinelinux.org/issues/7681.
Patch by A. Wilcox <AWilcox@Wilcox-Tech.com>
The __extension__ seems to trigger a bug in gcc when there are no
identifier specified afterwards.
Testcase:
echo "#include <stdlib.h>" > try.c && cc -O0 -c try.c
try.c:2:0: error: expected identifier or '(' at end of input
With -O2 it does not happen.
We work around this by only pulling in limits.h when we actually need the
PATH_MAX.
Signed-off-by: Natanael Copa <ncopa@alpinelinux.org>
Newer compilers default to GNU11, a C11 dialect. Some software however
is unprepared for this or has wrong compatibility checks. What happens
is that some software will for compatibility with C89
#define inline
before inclusion of a standard header, which is undefined behaviour in
C99 and above (C99/C11 7.1.2/4), as inline is a keyword.
If any libc headers that are then included via #include_next provide an
__inline macro definition (current musl does this if C++ or C99 and
above is detected) like the following
#define __inline inline
this results in any __inline token to be preprocessed away.
This breaks use of __builtin_va_arg_pack() in our stdio.h at
compile-time as it can only be used in always inlined functions. The
function attributes __always_inline__ and __gnu_inline__ themselves
require an inline specifier on the function to be applied.
If program includes stdlib.h before limits.h without _XOPEN_SOURCE,
_GNU_SOURCE or _BSD_SOURCE explicitly set, then will it always trigger
the trap with musl libc.
This is becase stdlib.h will pull in features.h which will set
_GNU_SOURCE. This means that the fortify stdlib.h will not include
limits.h but it will still trigger the fortified realpath(), but without
PATH_MAX set.
We fix this by including system stdlib.h before testing if limits.h
should be included.
Since PATH_MAX is known at compile time we can also error at compile
time, instead of compiling a broken realpath().
/usr/include/fortify/string.h: In function 'void* __fortify_memcpy(void*, const void*, size_t)':
/usr/include/fortify/string.h:13:12: error: invalid conversion from 'void*' to 'char*' [-fpermissive]
/usr/include/fortify/string.h:14:18: error: invalid conversion from 'const void*' to 'const char*' [-fpermissive]
Since we are relying on GCC anyway, assume void * arithmetic is OK.
