Re: possible snprintf() regression in 3.3.2

public inbox for cygwin@cygwin.com
 help / color / mirror / Atom feed

From: Tony Cook <tony@develop-help.com>
To: cygwin@cygwin.com
Subject: Re: possible snprintf() regression in 3.3.2
Date: Thu, 18 Nov 2021 11:06:49 +1100	[thread overview]
Message-ID: <20211118000649.GG10332@venus.tony.develop-help.com> (raw)
In-Reply-To: <YZT1S8wDnaBuYf5u@calimero.vinschen.de>

On Wed, Nov 17, 2021 at 01:27:55PM +0100, Corinna Vinschen via Cygwin wrote:
> On Nov 17 18:21, Takashi Yano via Cygwin wrote:
> > On Wed, 17 Nov 2021 11:37:18 +1100
> > Tony Cook wrote:
> > > This came up from regression testing perl.
> > > 
> > > Regression testing of perl @4a1b9dd524007193213d3919d6a331109608b90c
> > > used (from uname):
> > > [...]
> > I found the caused by the commit:
> > commit 4d90e5335914551862831de3e02f6c102b78435b
> > Author: Corinna Vinschen <corinna@vinschen.de>
> > Date:   Thu Nov 4 11:30:44 2021 +0100
> > 
> >     ldtoa: fix dropping too many digits from output
> > 
> >     ldtoa cuts the number of digits it returns based on a computation of
> >     number of supported bits (144) divide by log10(2).  Not only is the
> >     integer approximation of log10(2) ~= 8/27 missing a digit here, it
> >     also fails to take really small double and long double values into
> >     account.
> > 
> >     Allow for the full potential precision of long double values.  At the
> >     same time, change the local string array allocation to request only as
> >     much bytes as necessary to support the caller-requested number of
> >     digits, to keep the stack size low on small targets.
> > 
> >     In the long run a better fix would be to switch to gdtoa, as the BSD
> >     variants, as well as Mingw64 do.
> > 
> >     Signed-off-by: Corinna Vinschen <corinna@vinschen.de>
> > 
> > Reverting this commit solves the problem.
> > 
> > Corinna, could you please have a look?
> 
> I don't have a good solution.  The old ldtoa code is lacking, for
> switching newlib to gdtoa I simply don't have the time.  On the newlib
> list was a short discussion starting at
> https://sourceware.org/pipermail/newlib/2021/018626.html but nothing
> came out of it yet.
> 
> Patches gratefully accepted (except just reverting the above change).

From what I can tell the problem has nothing to do with the extra
precision, but has to do with misusing ndigits for the buffer size
with a %f format string, leading to a buffer overflow.

At entry to _ldtoa_r() ndigits is 9, but for a %f format with a large
number the number of digits is more closely related to the magnitude
of the number, not ndigits.

With the input number (9e99) and the supplied format I'd expect 109
characters output, but outbuf is only:

   ndigits + MAX_EXP_DIGITS + 10 = 9 + 5 + 10 = 24

characters in length.

Tony

next prev parent reply	other threads:[~2021-11-18  0:06 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-17  0:37 Tony Cook
2021-11-17  9:21 ` Takashi Yano
2021-11-17 12:27   ` Corinna Vinschen
2021-11-18  0:06     ` Tony Cook [this message]
2021-11-18 11:35       ` Takashi Yano
2021-11-18 13:19         ` Corinna Vinschen
2021-11-18 14:11           ` Noel Grandin
2021-11-18 14:27             ` Corinna Vinschen
2021-11-18 21:08               ` Sam Edge
2021-11-21  0:16                 ` Tony Cook
2021-11-22 10:34                   ` Corinna Vinschen
2021-11-22 13:04                     ` Corinna Vinschen
2021-11-22 23:23                       ` Tony Cook
2021-11-23  8:34                         ` Takashi Yano
2021-11-23  9:48                           ` Corinna Vinschen
2021-11-24  3:40                             ` Takashi Yano
2021-11-24  8:48                               ` Corinna Vinschen
2021-11-24  8:52                               ` Takashi Yano
2021-11-24  9:14                                 ` Takashi Yano
2021-11-24  9:28                                   ` Corinna Vinschen
2021-11-24 12:29                                     ` Lemke, Michael  SF/HZA-ZI2E
2021-11-25 12:02                                     ` Takashi Yano
2021-11-25 12:45                                       ` Corinna Vinschen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20211118000649.GG10332@venus.tony.develop-help.com \
    --to=tony@develop-help.com \
    --cc=cygwin@cygwin.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).