From 5709a7204dfd9a4fedf2cdbaa341bc6c540dadf3 Mon Sep 17 00:00:00 2001
From: Bruno Haible <bruno@clisp.org>
Date: Sun, 31 May 2009 14:38:11 +0200
Subject: [PATCH] Check that memchr does not read past the first occurrence of
 the byte.

---
 ChangeLog            |  8 ++++++++
 tests/test-memchr.c  | 30 ++++++++++++++++++++++++++++++
 tests/test-strstr.c  |  7 ++++++-
 tests/zerosize-ptr.h |  4 +++-
 4 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index e08b1e51c..aacc63af7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2009-05-31  Bruno Haible  <bruno@clisp.org>
+
+	* tests/zerosize-ptr.h (zerosize_ptr): Specify more details.
+	* tests/test-memchr.c (main): Check that memchr does not read past the
+	first occurrence of the byte.
+	* tests/test-strstr.c (main): Update comment.
+	Suggested by Eric Blake.
+
 2009-05-30  Bruno Haible  <bruno@clisp.org>
 
 	* doc/ld-output-def.texi (Visual Studio Compatibility): Explain in more
diff --git a/tests/test-memchr.c b/tests/test-memchr.c
index bf99a82ed..1124f8b58 100644
--- a/tests/test-memchr.c
+++ b/tests/test-memchr.c
@@ -94,6 +94,36 @@ main ()
       }
   }
 
+  /* Check that memchr() does not read past the first occurrence of the
+     byte being searched.  See the Austin Group's clarification
+     <http://www.opengroup.org/austin/docs/austin_454.txt>.  */
+  {
+    char *page_boundary = (char *) zerosize_ptr ();
+
+    if (page_boundary != NULL)
+      {
+	int n;
+
+	for (n = 1; n <= 500; n++)
+	  {
+	    char *mem = page_boundary - n;
+	    memset (mem, 'X', n);
+	    ASSERT (MEMCHR (mem, 'U', n) == NULL);
+
+	    {
+	      int i;
+
+	      for (i = 0; i < n; i++)
+		{
+		  mem[i] = 'U';
+		  ASSERT (MEMCHR (mem, 'U', 4000) == mem + i);
+		  mem[i] = 'X';
+		}
+	    }
+	  }
+      }
+  }
+
   free (input);
 
   return 0;
diff --git a/tests/test-strstr.c b/tests/test-strstr.c
index 600f7c786..f7bc4cb91 100644
--- a/tests/test-strstr.c
+++ b/tests/test-strstr.c
@@ -61,7 +61,12 @@ main (int argc, char *argv[])
   }
 
   {
-    /* See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521737 */
+    /* On some platforms, the memchr() functions reads past the first
+       occurrence of the byte to be searched, leading to an out-of-bounds
+       read access for strstr().
+       See <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=521737>.
+       This is a bug in memchr(), see the Austin Group's clarification
+       <http://www.opengroup.org/austin/docs/austin_454.txt>.  */
     const char *fix = "aBaaaaaaaaaaax";
     char *input = malloc (strlen (fix) + 1);
     const char *result;
diff --git a/tests/zerosize-ptr.h b/tests/zerosize-ptr.h
index 9918ac721..a38a2cf49 100644
--- a/tests/zerosize-ptr.h
+++ b/tests/zerosize-ptr.h
@@ -35,7 +35,9 @@
 # endif
 #endif
 
-/* Return a pointer to a zero-size object in memory, if possible.
+/* Return a pointer to a zero-size object in memory (that is, actually, a
+   pointer to a page boundary where the previous page is readable and writable
+   and the next page is neither readable not writable), if possible.
    Return NULL otherwise.  */
 
 static void *
-- 
2.11.0