This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] vfprintf stack overflow [BZ #16617]

From: Paul Eggert <eggert at cs dot ucla dot edu>
To: Rich Felker <dalias at libc dot org>, libc-alpha at sourceware dot org
Date: Fri, 05 Dec 2014 14:00:29 -0800
Subject: Re: [PATCH] vfprintf stack overflow [BZ #16617]
Authentication-results: sourceware.org; auth=none
References: <5481E0BD dot 9000203 at redhat dot com> <alpine dot DEB dot 2 dot 10 dot 1412051657030 dot 4077 at digraph dot polyomino dot org dot uk> <20141205202639 dot GU4574 at brightrain dot aerifal dot cx>

On 12/05/2014 12:26 PM, Rich Felker wrote:

If N is the size of an actual allocated object, 2*N should not be able
to overflow. If it can, it means you already have a situation where an
object is so large that legal pointer subtractions overflow ptrdiff_t

No, because the array elements are of type struct printf_spec, which isseveral bytes in size. So even if the number of bytes in the arrayexceeds PTRDIFF_MAX by a factor of (say) eight, subtracting addresses ofarray elements won't overflow.


Admittedly this is all a bit theoretical.

Follow-Ups:
- Re: [PATCH] vfprintf stack overflow [BZ #16617]
  - From: Joseph Myers
- Re: [PATCH] vfprintf stack overflow [BZ #16617]
  - From: Rich Felker

References:
- [PATCH] vfprintf stack overflow [BZ #16617]
  - From: Florian Weimer
- Re: [PATCH] vfprintf stack overflow [BZ #16617]
  - From: Joseph Myers
- Re: [PATCH] vfprintf stack overflow [BZ #16617]
  - From: Rich Felker

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]