Bug in Newlib's snprintf implementation
Corinna Vinschen
vinschen@redhat.com
Fri Feb 23 09:43:00 GMT 2018
On Feb 23 04:34, Sebastian Huber wrote:
> ----- Am 23. Feb 2018 um 4:00 schrieb Dominik Maier domenukk@gmail.com:
>
> > Hello,
> >
> > I've already reported this over at MinGW but since I could also
> > reproduce the Bug in Cygwin and understand both use Newlib, I figured
> > I'd post this here, too.
> >
> > The snprintf implementation is not compliant. This can lead to bugs and
> > memory corruptions.
> >
> > A simple PoC is the following
> >
> > char buf[4];
> > snprintf(buf, 4,"te%s", "st");
> > printf("%s", buf);
> >
> > It should print "tes" (0-terminated) but instad prints "test" and
> > appends random memory (tested in cygwin and mingw).
> >
>
> I cannot reproduce this issue on RTEMS. Her buf is "tes\0" and the return value is 4.
Tested on most recent Cygwin 2.10.0, x86 and x86_64. Both return
"tes\0" and the return value is 4.
> > Then len field in this case is 4, which is correct (apart from the
> > missing zero termination), however it will return an error (-1) for any
> > larger input.
>
> It should return the actual size of the produced string and not -1.
Slight correction: snprintf returns the size of the string it would
have produced if it hadn't truncated the output. So a size value
of 4 ("test" would have been the desired result) is correct.
Having said that, I get the wrong result Dominik describes if I build
the test application as a MingW-w64 application. In that case, snprintf
returns 4 (correct) but the string is not \0 terminated, rather the
word "test" is fully printed and then some.
So the bug is *not* in Newlib or, FWIW, Cygwin, but rather in the
Mingw-w64 library. You should bring this to the attention of the
Mingw-w64 folks.
Here's another, more complete testcase to verify:
$ cat > poc.c << EOF
#include <stdio.h>
#include <string.h>
int
main ()
{
char buf[8];
int ret;
memset (buf, 'X', 7);
buf[7] = '\0';
ret = snprintf(buf, 4,"te%s", "st");
printf("%d %s\n", ret, buf);
}
EOF
$ gcc -g -o poc poc.c # Create Cygwin binary
$ ./poc
4 tes
$ x86_64-w64-mingw32-gcc -g -o poc poc.c # Create MingW binary
$ ./poc
4 testXXX
Corinna
--
Corinna Vinschen
Cygwin Maintainer
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://sourceware.org/pipermail/newlib/attachments/20180223/7f7011f0/attachment.sig>
More information about the Newlib
mailing list