From peterjeremy@acm.org  Tue Apr 17 21:01:03 2012
Return-Path: <peterjeremy@acm.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BC06B1065797
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 17 Apr 2012 21:01:03 +0000 (UTC)
	(envelope-from peterjeremy@acm.org)
Received: from mail28.syd.optusnet.com.au (mail28.syd.optusnet.com.au [211.29.133.169])
	by mx1.freebsd.org (Postfix) with ESMTP id 3A9088FC1A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 17 Apr 2012 21:01:03 +0000 (UTC)
Received: from server.vk2pj.dyndns.org (c220-239-251-180.belrs5.nsw.optusnet.com.au [220.239.251.180])
	by mail28.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id q3HL100q022283
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 18 Apr 2012 07:01:01 +1000
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by server.vk2pj.dyndns.org (8.14.5/8.14.4) with ESMTP id q3HL0x0l032483;
	Wed, 18 Apr 2012 07:00:59 +1000 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.14.5/8.14.5/Submit) id q3HL0xPW032482;
	Wed, 18 Apr 2012 07:00:59 +1000 (EST)
	(envelope-from peter)
Message-Id: <201204172100.q3HL0xPW032482@server.vk2pj.dyndns.org>
Date: Wed, 18 Apr 2012 07:00:59 +1000 (EST)
From: Peter Jeremy <peterjeremy@acm.org>
Reply-To: Peter Jeremy <peterjeremy@acm.org>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: fputws(3) generates infinite output
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         167039
>Category:       kern
>Synopsis:       [libc] fputws(3) generates infinite output
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    das
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 17 21:10:02 UTC 2012
>Closed-Date:    Fri Oct 19 04:00:34 UTC 2012
>Last-Modified:  Fri Oct 19 04:00:34 UTC 2012
>Originator:     Peter Jeremy
>Release:        FreeBSD 8.2-STABLE amd64
>Organization:
n/a
>Environment:
System: FreeBSD server.vk2pj.dyndns.org 8.2-STABLE FreeBSD 8.2-STABLE #15: Thu Feb 2 11:02:29 EST 2012 root@server.vk2pj.dyndns.org:/var/obj/usr/src/sys/server amd64

>Description:
	Programs using fputws(3) generate an apparently infinite
	number of copies of the string passed to fputws().

	The code in src/lib/libc/stdio/fputws.c has no obvious mechanism
	for loop termination except in the case of an error.  This
	appears to be a regression introduced in r187302.

>How-To-Repeat:
	The following sample code generates an infinite series of "abc":
#include <stdio.h>
#include <wchar.h>

int main(void)
{
    fputws(L"abc", stdout);
    putchar('\n');
    return(0);
}

>Fix:
	Not clear at present.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->das 
Responsible-Changed-By: das 
Responsible-Changed-When: Sat Apr 21 06:05:38 UTC 2012 
Responsible-Changed-Why:  
over to me 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167039 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/167039: commit references a PR
Date: Sat, 21 Apr 2012 06:08:45 +0000 (UTC)

 Author: das
 Date: Sat Apr 21 06:08:02 2012
 New Revision: 234528
 URL: http://svn.freebsd.org/changeset/base/234528
 
 Log:
   Fix a bug introduced in r187302 that was causing fputws() to enter an
   infinite loop pretty much unconditionally.  It's remarkable that the
   patch that introduced the bug was never tested, but even more
   remarkable that nobody noticed for over two years.
   
   PR:		167039
   MFC after:	3 days
 
 Modified:
   head/lib/libc/stdio/fputws.c
 
 Modified: head/lib/libc/stdio/fputws.c
 ==============================================================================
 --- head/lib/libc/stdio/fputws.c	Sat Apr 21 05:26:02 2012	(r234527)
 +++ head/lib/libc/stdio/fputws.c	Sat Apr 21 06:08:02 2012	(r234528)
 @@ -70,7 +70,7 @@ fputws_l(const wchar_t * __restrict ws, 
  		iov.iov_len = uio.uio_resid = nbytes;
  		if (__sfvwrite(fp, &uio) != 0)
  			goto error;
 -	} while (ws != NULL);
 +	} while (wsp != NULL);
  	FUNLOCKFILE(fp);
  	return (0);
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->patched 
State-Changed-By: das 
State-Changed-When: Sat Apr 21 06:14:10 UTC 2012 
State-Changed-Why:  
Thanks.  This is fixed in r234528 and will be MFC'd shortly. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167039 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/167039: commit references a PR
Date: Sat, 21 Apr 2012 07:31:41 +0000 (UTC)

 Author: das
 Date: Sat Apr 21 07:31:27 2012
 New Revision: 234536
 URL: http://svn.freebsd.org/changeset/base/234536
 
 Log:
   As noted by Peter Jeremy, r234528 only partially fixed the infinite
   loop bug introduced in r187302.  This completes the fix.
   
   PR:		167039
   MFC after:	3 days
 
 Modified:
   head/lib/libc/stdio/fputws.c
 
 Modified: head/lib/libc/stdio/fputws.c
 ==============================================================================
 --- head/lib/libc/stdio/fputws.c	Sat Apr 21 07:00:39 2012	(r234535)
 +++ head/lib/libc/stdio/fputws.c	Sat Apr 21 07:31:27 2012	(r234536)
 @@ -61,8 +61,8 @@ fputws_l(const wchar_t * __restrict ws, 
  	uio.uio_iov = &iov;
  	uio.uio_iovcnt = 1;
  	iov.iov_base = buf;
 +	wsp = ws;
  	do {
 -		wsp = ws;
  		nbytes = l->__wcsnrtombs(buf, &wsp, SIZE_T_MAX, sizeof(buf),
  		    &fp->_mbstate);
  		if (nbytes == (size_t)-1)
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: peterj 
State-Changed-When: Fri Oct 19 03:59:46 UTC 2012 
State-Changed-Why:  
Committed & MFC'd (r234631 & r234632) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167039 
>Unformatted:
