Path: utzoo!attcan!uunet!tut.cis.ohio-state.edu!zaphod.mps.ohio-state.edu!wuarchive!julius.cs.uiuc.edu!apple!voder!nsc!taux01!amos
From: amos@taux01.nsc.com (Amos Shapir)
Newsgroups: comp.sys.nsc.32k
Subject: strcpy/strcmp bug alert (was: Dhrystone 2.1)
Message-ID: <4583@taux01.nsc.com>
Date: 13 Sep 90 07:40:01 GMT
References: <m0iCSeR-00007rC@daver.bungi.com>
Organization: National Semiconductor (IC) Ltd, Israel, Home of the Series 32000
Lines: 25
X-Hdate: 23 Elul 5750

There are major bugs in the code for strcpy and strcmp which Dave posted.
I don't think I can post the code that fixes that, so I'll just describe
the bugs - they're quite easy to fix anyway.

Both bugs happen only when the null byte at the end of a string is immediately
followed by non-null bytes that happen to occupy the same double-word.
Such strings are not generated by the compiler (which usually aligns
everything to double-word boundary), but may happen in data read from
files.

Bug in strcpy: after discovering that there's a null byte in the current
double-word, it checks the lower half (at mvby1); if the null isn't there, it
checks the *upper byte first* (and branches to mv4).  Consequently, if both
the 3rd and 4th bytes are null, the whole word is copied, overwriting
one byte too many.

Bug in strcmp: When double-words compare unequal, it checks which byte
doesn't match; but it does not check whether a lower byte (that does match)
in the same word is null!  Therefore, equal strings might compare
unequal due to the garbage following the null byte.

-- 
	Amos Shapir		amos@taux01.nsc.com, amos@nsc.nsc.com
National Semiconductor (Israel) P.O.B. 3007, Herzlia 46104, Israel
Tel. +972 52 522255  TWX: 33691, fax: +972-52-558322 GEO: 34 48 E / 32 10 N