[Bug stdio/30039] __vsprintf_internal does not handle unspecified buffer length in fortify mode
fweimer at redhat dot com
sourceware-bugzilla@sourceware.org
Wed Jan 25 10:19:51 GMT 2023
https://sourceware.org/bugzilla/show_bug.cgi?id=30039
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
Flags| |security-
Target Milestone|--- |2.37
--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for 2.37 via:
commit 0d50f477f47ba637b54fb03ac48d769ec4543e8d
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Jan 25 08:01:00 2023 +0100
stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)
This shows up as an assertion failure when sprintf is called with
a specifier like "%.8g" and libquadmath is linked in:
Fatal glibc error: printf_buffer_as_file.c:31
(__printf_buffer_as_file_commit): assertion failed:
file->stream._IO_write_ptr <= file->next->write_end
Fix this by detecting pointer wraparound in __vsprintf_internal
and saturate the addition to the end of the address space instead.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
Introduce in the vfprintf refactoring, so need for backporting.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the Glibc-bugs
mailing list