Google Git
Sign in
fuchsia / third_party / github.com / GNOME / glib / refs/heads/upstream/wip/smcv/bug3418-newlocale-clear-errno^! / .
commit730f10fddf5d59bbf2c75c6efbebe3ba98f7a342[log] [tgz]
authorSimon McVittie <smcv@collabora.com>Fri Jul 26 12:42:22 2024 +0100
committerSimon McVittie <smcv@collabora.com>Fri Jul 26 13:06:08 2024 +0100
tree6a7b05ebd7efe8953f2098467b2e061a04bbe7a6
parent3aee3c4e46999bc728d4eb9102ecf75ca58171d0 [diff]
strfuncs: Always initialize errno to 0 after get_C_locale()

Some callers of `g_ascii_strtoull()` and similar functions assume that
they can use this pattern, similar to what they might do for
Standard C `strtoull()`:

    errno = 0;
    result = g_ascii_strtoull (nptr, endptr, base);
    saved_errno = errno;

    if (saved_errno != 0)
      g_printerr ("error parsing %s\n", nptr);

This is based on the fact that it is non-trivial to tell whether
`strtoull()` and related functions succeeded (in which case the value
of `errno` is unspecified) or failed (in which case `errno` is valid).
For example, POSIX `strtoul(3)` suggests this pattern:

> Since 0, `ULONG_MAX`, and `ULLONG_MAX` are returned on error and are
> also valid returns on success, an application wishing to check for
> error situations should set `errno` to 0, then call `strtoul()` or
> `strtoull()`, then check `errno`.

However, `g_ascii_strtoull()` does not *only* call a function resembling
`strtoull()` (`strtoull_l()` or its reimplementation
`g_parse_long_long()`): it also calls `get_C_locale()`, which wraps
`newlocale()`. Even if `newlocale()` succeeds (which in practice we
expect and assume that it will), it is valid for it to clobber `errno`.
For example, it might attempt to open a file that only conditionally
exists, which would leave `errno` set to `ENOENT`.

This is difficult to reproduce in practice: I encountered what I
believe to be this bug when compiling GLib-based software for i386 in a
Debian 12 derivative via an Open Build Service instance, but I could
not reproduce the bug in a similar chroot environment locally, and I
also could not reproduce the bug when compiling for x86_64 or for a
Debian 10, 11 or 13 derivative on the same Open Build Service instance.
It also cannot be reproduced via the GTest framework, because
`g_test_init()` indirectly calls `g_ascii_strtoull()`, resulting in
the call to `newlocale()` already having happened by the time we enter
test code.

Resolves: https://gitlab.gnome.org/GNOME/glib/-/issues/3418
Signed-off-by: Simon McVittie <smcv@collabora.com>

diff --git a/glib/gstrfuncs.c b/glib/gstrfuncs.c
index 122de73..0b2a9e4 100644
--- a/glib/gstrfuncs.c
+++ b/glib/gstrfuncs.c

@@ -299,6 +299,10 @@
       g_once_init_leave (&initialized, TRUE);
     }
 
+  /* Callers of this function assume that if errno != 0, it indicates
+   * a failure by the function to which the locale_t is passed, for
+   * example strtoull_l(); so we need to make sure to clear errno. */
+  errno = 0;
   return C_locale;
 }
 #endif