This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: wprintf/vfprintf.c vs. large precision: allocates far too much memory
Wolfram Gloger <wmglo@dent.med.uni-muenchen.de> wrote:
> Hi,
>
>> Here's an untested patch to protect against an inordinately large
>> precision. However, if the string itself has length SIZE_MAX / 4
>> or greater, the expressions still overflow.
>>
>> diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
>> index 20c07ce..1e2d928 100644
>> --- a/stdio-common/vfprintf.c
>> +++ b/stdio-common/vfprintf.c
>> @@ -1026,7 +1026,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
>> const char *mbs = (const char *) string; \
>> mbstate_t mbstate; \
>> \
>> - len = prec != -1 ? (size_t) prec : strlen (mbs); \
>> + len = strlen (mbs); \
>> + if (prec != -1) \
>> + len = (size_t) prec; \
>> \
>
> I've stared at this patch for 4 minutes now, and even accounting for
> potential traps with arithmetic conversion I can't see any effect..
You're right. This is what I meant:
diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
index 20c07ce..c17cd50 100644
--- a/stdio-common/vfprintf.c
+++ b/stdio-common/vfprintf.c
@@ -1026,7 +1026,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
const char *mbs = (const char *) string; \
mbstate_t mbstate; \
\
- len = prec != -1 ? (size_t) prec : strlen (mbs); \
+ len = strlen (mbs); \
+ if (prec != -1 && prec < len) \
+ len = (size_t) prec; \
\
/* Allocate dynamically an array which definitely is long \
enough for the wide character version. */ \