libc: locale: fix some assumptions that wchar_t cannot be signed
Needs ReviewPublic
Actions

Authored by kevans on Jun 7 2025, 2:45 AM.

Details

Reviewers

markj
bapt

Summary

wchar_t signedness is platform-dependant, and it's actually signed on
powerpc, riscv and x86. We make some assumptions in Libc that they
aren't negative, which could lead to some invalid accesses.

Ensure that comparisons for <= UCHAR_MAX also confirm that the value is
positive, and in largesearch() let's cast it to an unsigned value in
case we actually do have a character mapped but it's just unfortunately
out of range for our signed wchar_t. We still have a chance of doing
the right thing.

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 71106
Build 67989: arc lint + arc unit

Event Timeline

kevans created this revision.Jun 7 2025, 2:45 AM

Herald added a subscriber: imp. · View Herald TranscriptJun 7 2025, 2:45 AM

kevans requested review of this revision.Jun 7 2025, 2:45 AM

Harbormaster completed remote builds in B64696: Diff 156662.Jun 7 2025, 2:46 AM

markj added inline comments.Jun 7 2025, 2:17 PM

lib/libc/locale/collate.c
303	Why is this cast needed?

kevans added inline comments.Thu, Feb 26, 11:53 PM

lib/libc/locale/collate.c
303	Well, 2026 Kyle doesn't remember. Reasoning through it again, I think my logic was that weights are explicitly unsigned in Unicode data, so naturally this should be coerced to unsigned. With fresh eyes, that doesn't make any amount of sense unless wchar_t was 16-bit signed (to avoid sign extension bugs), so I'll drop this.

Remove useless cast

Harbormaster completed remote builds in B71106: Diff 172953.Sun, Mar 1, 3:21 AM

Revision Contents
Changeset List

Path

Size

lib/

libc/

locale/

collate.c

19 lines

Diff 172953

View Options

libc: locale: fix some assumptions that wchar_t cannot be signedNeeds ReviewPublicActions