search

bitsmanent / snore

sleep with feedback
MIT License
73 stars 11 forks source link

The `[0,INT_MAX)` time check allows NaN through #20

Closed jpdoyle closed 2 years ago

jpdoyle commented 2 years ago 
$ ./snore 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d-10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d
00d 00h 00m 00.000s

If you add printf("%f\n",tm); after https://github.com/clamiax/snore/blob/caad43cde564123b541df3cb2652df55937ac45f/snore.c#L118 you can observe that the number is NaN:

$ ./snore 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d-10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d
-nan
00d 00h 00m 00.000s

This ends up being accidentally safe because all comparisons involving NaN are false, so tm < endtm is false and the loop is never entered. However, if the loop is ever executed, this would invoke undefined behavior, as demonstrated if you run with ubsan on the branch https://github.com/jpdoyle/snore/tree/nan-unsafety:

$ ./snore 10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d-10000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d
-nan
snore.c:98:6: runtime error: store to null pointer of type 'char'
bitsmanent commented 2 years ago

Feel free to send a PR to fix the issue otherwise I will give a look later today.

bitsmanent commented 2 years ago

Fixed in ad68ede