9857 – sprintf gives SIGSEGV

Bug 9857 - sprintf gives SIGSEGV

Summary: sprintf gives SIGSEGV

Status:	RESOLVED INVALID

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	libc (show other bugs)
Version:	2.8

Importance:	P2 critical
Target Milestone:	---
Assignee:	Ulrich Drepper

URL:
Keywords:

Duplicates (1):	9858 (view as bug list)
Depends on:
Blocks:

Reported:	2009-02-17 13:06 UTC by Alexandr Igorevich Gulevich
Modified:	2014-07-01 20:52 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexandr Igorevich Gulevich 2009-02-17 13:06:20 UTC

char n[100];
char *p=0;
sprintf(n,"%s",p);

gives SIGSEGV in glibc 2.6.1 and 2.9

in opposite:
snprintf in such case gives "(NULL)" as expected
sprintf in glibc 2.3.6 and 2.2.3 gives "(NULL)" correctly

Comment 1 Jakub Jelinek 2009-02-17 13:28:33 UTC

Correctly is wrong word, as this is clearly undefined behavior, %s argument is
supposed to be a pointer to the initial element of an array of character type,
which NULL is not.  And it actually has nothing to do with glibc, because it is
GCC that optimizes the sprintf call into strcpy.

Comment 2 Andreas Schwab 2009-02-17 14:05:50 UTC

*** Bug 9858 has been marked as a duplicate of this bug. ***