openssl/engines
Taylor R Campbell 99548cd16e Avoid undefined behaviour with the <ctype.h> functions.
fix https://github.com/openssl/openssl/issues/25112

As defined in the C standard:

   In all cases the argument is an int, the value of which shall
   be representable as an unsigned char or shall equal the value
   of the macro EOF.  If the argument has any other value, the
   behavior is undefined.

This is because they're designed to work with the int values returned
by getc or fgetc; they need extra work to handle a char value.

If EOF is -1 (as it almost always is), with 8-bit bytes, the allowed
inputs to the ctype.h functions are:

   {-1, 0, 1, 2, 3, ..., 255}.

However, on platforms where char is signed, such as x86 with the
usual ABI, code like

   char *p = ...;
   ... isspace(*p) ...

may pass in values in the range:

   {-128, -127, -126, ..., -2, -1, 0, 1, ..., 127}.

This has two problems:

1. Inputs in the set {-128, -127, -126, ..., -2} are forbidden.

2. The non-EOF byte 0xff is conflated with the value EOF = -1, so
   even though the input is not forbidden, it may give the wrong
   answer.

Casting char inputs to unsigned char first works around this, by
mapping the (non-EOF character) range {-128, -127, ..., -1} to {128,
129, ..., 255}, leaving no collisions with EOF.  So the above
fragment needs to be:

   char *p = ...;
   ... isspace((unsigned char)*p) ...

This patch inserts unsigned char casts where necessary.  Most of the
cases I changed, I compile-tested using -Wchar-subscripts -Werror on
NetBSD, which defines the ctype.h functions as macros so that they
trigger the warning when the argument has type char.  The exceptions
are under #ifdef __VMS or #ifdef _WIN32.  I left alone calls where
the input is int where the cast would obviously be wrong; and I left
alone calls where the input is already unsigned char so the cast is
unnecessary.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/25113)
2024-10-10 20:47:48 +02:00
..
asm Copyright year updates 2023-09-07 09:59:15 +01:00
build.info Rename x86-32 assembly files from .s to .S. 2022-05-24 13:16:06 +10:00
e_afalg_err.c Add af_alg errors to the error queue 2022-10-21 12:59:14 +02:00
e_afalg_err.h Add af_alg errors to the error queue 2022-10-21 12:59:14 +02:00
e_afalg.c Prefer ARRAY_SIZE(...) 2024-07-22 06:55:35 -04:00
e_afalg.ec
e_afalg.h
e_afalg.txt Add af_alg errors to the error queue 2022-10-21 12:59:14 +02:00
e_capi_err.c Copyright year updates 2023-09-07 09:59:15 +01:00
e_capi_err.h Add {lib}_R_{lib}_LIB, for our engines and other "external" modules 2022-10-05 14:02:03 +02:00
e_capi.c Stop raising ERR_R_MALLOC_FAILURE in most places 2022-10-05 14:02:03 +02:00
e_capi.ec
e_capi.txt Copyright year updates 2023-09-07 09:59:15 +01:00
e_dasync_err.c
e_dasync_err.h
e_dasync.c Copyright year updates 2024-04-09 13:43:26 +02:00
e_dasync.ec
e_dasync.txt
e_devcrypto.c Remove uneeded cast to unsigned int 2023-12-22 14:43:31 +01:00
e_loader_attic_err.c
e_loader_attic_err.h
e_loader_attic.c Avoid undefined behaviour with the <ctype.h> functions. 2024-10-10 20:47:48 +02:00
e_loader_attic.ec
e_loader_attic.txt
e_ossltest_err.c
e_ossltest_err.h
e_ossltest.c
e_ossltest.ec
e_ossltest.txt
e_padlock.c Copyright year updates 2023-09-07 09:59:15 +01:00