From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin@cygwin.com
Subject: Re: possible snprintf() regression in 3.3.2
Date: Thu, 18 Nov 2021 20:35:38 +0900 [thread overview]
Message-ID: <20211118203538.a049809d57731fe375801c15@nifty.ne.jp> (raw)
In-Reply-To: <20211118000649.GG10332@venus.tony.develop-help.com>
On Thu, 18 Nov 2021 11:06:49 +1100
Tony Cook wrote:
> On Wed, Nov 17, 2021 at 01:27:55PM +0100, Corinna Vinschen via Cygwin wrote:
> > I don't have a good solution. The old ldtoa code is lacking, for
> > switching newlib to gdtoa I simply don't have the time. On the newlib
> > list was a short discussion starting at
> > https://sourceware.org/pipermail/newlib/2021/018626.html but nothing
> > came out of it yet.
> >
> > Patches gratefully accepted (except just reverting the above change).
>
> From what I can tell the problem has nothing to do with the extra
> precision, but has to do with misusing ndigits for the buffer size
> with a %f format string, leading to a buffer overflow.
>
> At entry to _ldtoa_r() ndigits is 9, but for a %f format with a large
> number the number of digits is more closely related to the magnitude
> of the number, not ndigits.
>
> With the input number (9e99) and the supplied format I'd expect 109
> characters output, but outbuf is only:
>
> ndigits + MAX_EXP_DIGITS + 10 = 9 + 5 + 10 = 24
>
> characters in length.
Then, isn't the following the right thing?
diff --git a/newlib/libc/stdlib/ldtoa.c b/newlib/libc/stdlib/ldtoa.c
index 7da61457b..826a1b2ed 100644
--- a/newlib/libc/stdlib/ldtoa.c
+++ b/newlib/libc/stdlib/ldtoa.c
@@ -2794,6 +2794,7 @@ _ldtoa_r (struct _reent *ptr, long double d, int mode, int ndigits,
LDPARMS rnd;
LDPARMS *ldp = &rnd;
char *outstr;
+ char outbuf[NDEC + MAX_EXP_DIGITS + 10];
union uconv du;
du.d = d;
@@ -2840,8 +2841,6 @@ _ldtoa_r (struct _reent *ptr, long double d, int mode, int ndigits,
if (ndigits > NDEC)
ndigits = NDEC;
- char outbuf[ndigits + MAX_EXP_DIGITS + 10];
-
etoasc (e, outbuf, ndigits, mode, ldp);
s = outbuf;
if (eisinf (e) || eisnan (e))
--
Takashi Yano <takashi.yano@nifty.ne.jp>
next prev parent reply other threads:[~2021-11-18 11:35 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-17 0:37 Tony Cook
2021-11-17 9:21 ` Takashi Yano
2021-11-17 12:27 ` Corinna Vinschen
2021-11-18 0:06 ` Tony Cook
2021-11-18 11:35 ` Takashi Yano [this message]
2021-11-18 13:19 ` Corinna Vinschen
2021-11-18 14:11 ` Noel Grandin
2021-11-18 14:27 ` Corinna Vinschen
2021-11-18 21:08 ` Sam Edge
2021-11-21 0:16 ` Tony Cook
2021-11-22 10:34 ` Corinna Vinschen
2021-11-22 13:04 ` Corinna Vinschen
2021-11-22 23:23 ` Tony Cook
2021-11-23 8:34 ` Takashi Yano
2021-11-23 9:48 ` Corinna Vinschen
2021-11-24 3:40 ` Takashi Yano
2021-11-24 8:48 ` Corinna Vinschen
2021-11-24 8:52 ` Takashi Yano
2021-11-24 9:14 ` Takashi Yano
2021-11-24 9:28 ` Corinna Vinschen
2021-11-24 12:29 ` Lemke, Michael SF/HZA-ZI2E
2021-11-25 12:02 ` Takashi Yano
2021-11-25 12:45 ` Corinna Vinschen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211118203538.a049809d57731fe375801c15@nifty.ne.jp \
--to=takashi.yano@nifty.ne.jp \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).