This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/4514] New: printf_unknown calculates work_buffer size incorrectly
- From: "steve dot hawkes at motorola dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 16 May 2007 19:59:27 -0000
- Subject: [Bug libc/4514] New: printf_unknown calculates work_buffer size incorrectly
- Reply-to: sourceware-bugzilla at sourceware dot org
The printf_unknown() function, which is called when an unknown format specifier
is encountered, calculates the size of its local work_buffer array incorrectly.
The code uses the maximum of the format width specifier and the format letter
value where it should be using the maximum width of the text representation of
these values.
Here is the current code:
/* Handle an unknown format specifier. This prints out a canonicalized
representation of the format spec itself. */
static int
printf_unknown (FILE *s, const struct printf_info *info,
const void *const *args)
{
int done = 0;
CHAR_T work_buffer[MAX (info->width, info->spec) + 32];
CHAR_T *const workend
= &work_buffer[sizeof (work_buffer) / sizeof (CHAR_T)];
This code uses the integer value of the format width specifier and the integer
value of the unrecognized format letter to calculate the array size. Since
work_buffer[] is used to store the canonicalized representation of the
unrecognized format specification, the sizes that should be used are the widths
of the text representation of the info->width and info->spec values.
The following code typically causes a processor exception:
#include <stdio.h>
int
main(int argc,
char** argv)
{
printf("This is a bad format string: %*\"\n", 0x12345678);
return (0);
}
For this code, info->width is 0x12345678 and info->spec is '"'. The
printf_unknown() function calculates MAX(info->width, info->spec) + 32, or
MAX(0x12345678, 0x22) + 32, and uses this to size the work_buffer array on the
stack. Since the resultant size exceeds the stack bounds, the code segfaults
instead of printing what the glibc coder intended, %305419896".
--
Summary: printf_unknown calculates work_buffer size incorrectly
Product: glibc
Version: 2.3.3
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: steve dot hawkes at motorola dot com
CC: glibc-bugs at sources dot redhat dot com
GCC build triplet: all
GCC host triplet: all
GCC target triplet: all
http://sourceware.org/bugzilla/show_bug.cgi?id=4514
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.