public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/4514] New: printf_unknown calculates work_buffer size incorrectly
@ 2007-05-16 19:59 steve dot hawkes at motorola dot com
  2007-05-21 17:51 ` [Bug libc/4514] " drepper at redhat dot com
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: steve dot hawkes at motorola dot com @ 2007-05-16 19:59 UTC (permalink / raw)
  To: glibc-bugs

The printf_unknown() function, which is called when an unknown format specifier
is encountered, calculates the size of its local work_buffer array incorrectly.
The code uses the maximum of the format width specifier and the format letter
value where it should be using the maximum width of the text representation of
these values.

Here is the current code:

/* Handle an unknown format specifier.  This prints out a canonicalized
   representation of the format spec itself.  */
static int
printf_unknown (FILE *s, const struct printf_info *info,
		const void *const *args)

{
  int done = 0;
  CHAR_T work_buffer[MAX (info->width, info->spec) + 32];
  CHAR_T *const workend
    = &work_buffer[sizeof (work_buffer) / sizeof (CHAR_T)];

This code uses the integer value of the format width specifier and the integer
value of the unrecognized format letter to calculate the array size. Since
work_buffer[] is used to store the canonicalized representation of the
unrecognized format specification, the sizes that should be used are the widths
of the text representation of the info->width and info->spec values.

The following code typically causes a processor exception:

#include <stdio.h>

int
main(int	argc,
     char**	argv)
{
    printf("This is a bad format string: %*\"\n", 0x12345678);
    
    return (0);
}

For this code, info->width is 0x12345678 and info->spec is '"'. The
printf_unknown() function calculates MAX(info->width, info->spec) + 32, or
MAX(0x12345678, 0x22) + 32, and uses this to size the work_buffer array on the
stack. Since the resultant size exceeds the stack bounds, the code segfaults
instead of printing what the glibc coder intended, %305419896".

-- 
           Summary: printf_unknown calculates work_buffer size incorrectly
           Product: glibc
           Version: 2.3.3
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: steve dot hawkes at motorola dot com
                CC: glibc-bugs at sources dot redhat dot com
 GCC build triplet: all
  GCC host triplet: all
GCC target triplet: all


http://sourceware.org/bugzilla/show_bug.cgi?id=4514

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 5+ messages in thread
[parent not found: <bug-4514-131@http.sourceware.org/bugzilla/>]
end of thread, other threads:[~2014-07-04 16:32 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-05-16 19:59 [Bug libc/4514] New: printf_unknown calculates work_buffer size incorrectly steve dot hawkes at motorola dot com
2007-05-21 17:51 ` [Bug libc/4514] " drepper at redhat dot com
2007-07-12 13:31 ` cvs-commit at gcc dot gnu dot org
2007-07-12 15:23 ` cvs-commit at gcc dot gnu dot org
     [not found] <bug-4514-131@http.sourceware.org/bugzilla/>
2014-07-04 16:32 ` fweimer at redhat dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).