7000 – printf %n specifier causes segfault

Bug 7000 - printf %n specifier causes segfault

Summary: printf %n specifier causes segfault

Status:	RESOLVED FIXED

Alias:	None

Product:	systemtap
Classification:	Unclassified
Component:	translator (show other bugs)
Version:	unspecified

Importance:	P2 normal
Target Milestone:	---
Assignee:	Unassigned

URL:
Keywords:

Duplicates (1):	7015 (view as bug list)
Depends on:
Blocks:

Reported:	2008-10-31 21:08 UTC by Elliott Baron
Modified:	2008-12-05 18:42 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Attachments
Results of stap-report (2.10 KB, text/plain) 2008-10-31 21:11 UTC, Elliott Baron	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Elliott Baron 2008-10-31 21:08:40 UTC

Steps to reproduce:
1. stap -e 'probe begin{printf("%1n%b\n",2);exit()}'

Comment 1 Elliott Baron 2008-10-31 21:11:23 UTC

Created attachment 3039 [details]
Results of stap-report

Comment 2 Ananth Mavinakayanahalli 2008-11-10 08:55:40 UTC

*** Bug 7015 has been marked as a duplicate of this bug. ***

Comment 3 Wenji Huang 2008-11-13 08:54:53 UTC

Lack of checking bound in c_unparser::visit_print_format will cause the segment
fault. Seems this patch can avoid that.

diff --git a/translate.cxx b/translate.cxx
index 4112855..741455e 100644
--- a/translate.cxx
+++ b/translate.cxx
@@ -4199,7 +4199,7 @@ c_unparser::visit_print_format (print_format* e)
        /* The type of the %c argument is 'int'.  */
        else if (components[i].type == print_format::conv_char)
          o->line() << ", (int)" << tmp[arg_ix++].value();
-       else
+       else if (arg_ix < (int) tmp.size())
          o->line() << ", " << tmp[arg_ix++].value();
       }

Comment 4 Wenji Huang 2008-11-14 03:04:48 UTC

See commit 1f5490d125bdb76179724ddd989569734235d185.

Comment 5 Elliott Baron 2008-12-05 18:42:21 UTC

Decision in 7051 to remove %n