Bug in vfprintf?

J. Johnston jjohnstn@redhat.com
Sat Feb 1 00:56:00 GMT 2003 

Ok, another patch for you.  The previous patch was not robust enough.
The allocation of the buffer cannot occur until we know the size
of the result so we need to do this at the end of the routine instead
of the start.  We can use a fixed-length local buffer up to that point
which is reasonable in size.

-- Jeff J.

Jason Tishler wrote:
> Jeff,
> 
> On Tue, Jan 07, 2003 at 02:56:20PM -0500, J. Johnston wrote:
> 
>>Jason Tishler wrote:
>>
>>>On Mon, Jan 06, 2003 at 10:05:19PM -0500, Charles Wilson wrote:
>>>
>>>>J. Johnston wrote:
>>>>
>>>>
>>>>>Try the attached patch with your testsuite.
>>>>
>>>>That fixes it.  Thanks.
>>>
>>>It also fixes the following too:
>>>
>>>   http://cygwin.com/ml/cygwin/2003-01/msg00047.html
>>
>>Good.  Patch has been checked in.
> 
> 
> Changes to the Python regression test have uncovered another memory
> overwrite problem in this area of newlib.  The attached C program,
> test_string5.c, is a minimal testcase that demonstrates the problem
> (albeit, most likely only noticeable in a debugger).
> 
> Use the following invocation:
> 
>     test_string5 '%.50f'
> 
> to trigger the problem.
> 
> The following is an excerpt from libc/stdio/vfprintf.c:
> 
>   1022  static char *
>   1023  cvt(data, value, ndigits, flags, sign, decpt, ch, length)
>   ...
>   1069      if ((ch != 'g' && ch != 'G') || flags & ALT) {  /* Print ...
> *>1070          bp = digits + ndigits;
>   1071          if (ch == 'f') {
>   1072              if (*digits == '0' && value)
>   1073                  *decpt = -ndigits + 1;
> *>1074              bp += *decpt;
>   1075          }
>   1076          if (value == 0) /* kludge for __dtoa irregularity */
>   1077              rve = bp;
>   1078          while (rve < bp)
>   1079              *rve++ = '0';
>   1080      }
> 
> I'm not sure of the root cause, but line 1074 pushes bp to past the end
> of allocated memory which is 84 bytes in this testcase.  The combination
> of lines 1070 and 1074 cause the string to be padding to a field width
> of 100 instead of the requested 50 which overwrites adjacent memory.
> 
> I can "fix" the problem by allocating more memory than necessary in
> _ldtoa_r(), but that is probably not the best way to solve this problem.
> 
> I hope that this post will enable you to easily find the best solution.
> If you are too busy to address this problem, let me know and I will try
> to dig deeper and fix it myself.
> 
> Thanks,
> Jason
> 
> 
> 
> ------------------------------------------------------------------------
> 
> #include <stdio.h>
> 
> int
> main(int argc, char* argv[])
> {
> 	const char* format = argv[1];
> 	double value = 10033002222963781815252827772780694713070670000000.0;
> 	printf(format, value);
> 	printf("\n");
> 	return 0;
> }

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ldtoa.patch
URL: <http://sourceware.org/pipermail/newlib/attachments/20030201/54900c1b/attachment.ksh>

More information about the Newlib mailing list