This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/4514] New: printf_unknown calculates work_buffer size incorrectly

From: "steve dot hawkes at motorola dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 16 May 2007 19:59:27 -0000
Subject: [Bug libc/4514] New: printf_unknown calculates work_buffer size incorrectly
Reply-to: sourceware-bugzilla at sourceware dot org

The printf_unknown() function, which is called when an unknown format specifier
is encountered, calculates the size of its local work_buffer array incorrectly.
The code uses the maximum of the format width specifier and the format letter
value where it should be using the maximum width of the text representation of
these values.

Here is the current code:

/* Handle an unknown format specifier.  This prints out a canonicalized
   representation of the format spec itself.  */
static int
printf_unknown (FILE *s, const struct printf_info *info,
		const void *const *args)

{
  int done = 0;
  CHAR_T work_buffer[MAX (info->width, info->spec) + 32];
  CHAR_T *const workend
    = &work_buffer[sizeof (work_buffer) / sizeof (CHAR_T)];

This code uses the integer value of the format width specifier and the integer
value of the unrecognized format letter to calculate the array size. Since
work_buffer[] is used to store the canonicalized representation of the
unrecognized format specification, the sizes that should be used are the widths
of the text representation of the info->width and info->spec values.

The following code typically causes a processor exception:

#include <stdio.h>

int
main(int	argc,
     char**	argv)
{
    printf("This is a bad format string: %*\"\n", 0x12345678);
    
    return (0);
}

For this code, info->width is 0x12345678 and info->spec is '"'. The
printf_unknown() function calculates MAX(info->width, info->spec) + 32, or
MAX(0x12345678, 0x22) + 32, and uses this to size the work_buffer array on the
stack. Since the resultant size exceeds the stack bounds, the code segfaults
instead of printing what the glibc coder intended, %305419896".

-- 
           Summary: printf_unknown calculates work_buffer size incorrectly
           Product: glibc
           Version: 2.3.3
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: steve dot hawkes at motorola dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: all
  GCC host triplet: all
GCC target triplet: all


http://sourceware.org/bugzilla/show_bug.cgi?id=4514

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Follow-Ups:
- [Bug libc/4514] printf_unknown calculates work_buffer size incorrectly
  - From: drepper at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]