Bug 12445 (CVE-2012-3404) - printf() stack corruption in case of positional parameters + many format specs (CVE-2012-3404)
Summary: printf() stack corruption in case of positional parameters + many format spec...
Status: RESOLVED FIXED
Alias: CVE-2012-3404
Product: glibc
Classification: Unclassified
Component: libc (show other bugs)
Version: 2.12
: P2 normal
Target Milestone: ---
Assignee: Ulrich Drepper
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-01-27 00:23 UTC by Petr Baudis
Modified: 2014-06-16 12:19 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security+

Attachments
proposed patch (349 bytes, text/plain)
2011-01-27 00:23 UTC, Petr Baudis 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Petr Baudis 2011-01-27 00:23:56 UTC 
Created attachment 5215 [details]
proposed patch

A seldom-used code branch in vfprintf causes stack corruption in this (minimal) testcase:

#include <stdio.h>

int main()
{
  printf ("\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%",
          "a", "b", "c", "d", 5);
  return 0;
}
Comment 1 Ulrich Drepper 2011-02-20 13:01:37 UTC 
I checked in a patch and a test case.
Comment 2 Mike Frysinger 2014-06-14 22:37:42 UTC 
for reference, the change:
https://sourceware.org/git/?p=glibc.git;a=commit;h=84a4211850e3d23a9d3a4f3b294752a3b30bc0ff