This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: wprintf/vfprintf.c vs. large precision: allocates far too much memory

From: Wolfram Gloger <wmglo at dent dot med dot uni-muenchen dot de>
To: libc-alpha at sourceware dot org
Date: 5 May 2007 17:23:26 -0000
Subject: Re: wprintf/vfprintf.c vs. large precision: allocates far too much memory
References: <87vef7qnf1.fsf@rho.meyering.net>

Hi,

> Here's an untested patch to protect against an inordinately large
> precision.  However, if the string itself has length SIZE_MAX / 4
> or greater, the expressions still overflow.
> 
> diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
> index 20c07ce..1e2d928 100644
> --- a/stdio-common/vfprintf.c
> +++ b/stdio-common/vfprintf.c
> @@ -1026,7 +1026,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
>  	    const char *mbs = (const char *) string;			      \
>  	    mbstate_t mbstate;						      \
>  									      \
> -	    len = prec != -1 ? (size_t) prec : strlen (mbs);		      \
> +	    len = strlen (mbs);						      \
> +	    if (prec != -1)						      \
> +	      len = (size_t) prec;					      \
>  									      \

I've stared at this patch for 4 minutes now, and even accounting for
potential traps with arithmetic conversion I can't see any effect..

Regards,
Wolfram.

Follow-Ups:
- Re: wprintf/vfprintf.c vs. large precision: allocates far too much memory
  - From: Jim Meyering

References:
- wprintf/vfprintf.c vs. large precision: allocates far too much memory
  - From: Jim Meyering

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]