public inbox for glibc-bugs@sourceware.org help / color / mirror / Atom feed
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug stdio/17829] Incorrect handling of precision specifier in printf family Date: Wed, 18 Feb 2015 14:33:00 -0000 [thread overview] Message-ID: <bug-17829-131-zrkoVfDgh8@http.sourceware.org/bugzilla/> (raw) In-Reply-To: <bug-17829-131@http.sourceware.org/bugzilla/> https://sourceware.org/bugzilla/show_bug.cgi?id=17829 Carlos O'Donell <carlos at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carlos at redhat dot com --- Comment #2 from Carlos O'Donell <carlos at redhat dot com> --- (In reply to Florian Weimer from comment #1) > Carlos, do you remember what the “32” in stdio-common/vfprintf.c guards > against? (You helped to fix some overflow-related issues in this area.) > > 1574 if (prec > width > 1575 && prec > sizeof (work_buffer) / sizeof (work_buffer[0]) - > 32) > 1576 { > 1577 if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) - > 32)) > 1578 { > 1579 __set_errno (EOVERFLOW); > 1580 done = -1; > 1581 goto all_done; > 1582 } > 1583 size_t needed = ((size_t) prec + 32) * sizeof (CHAR_T); > > I'm a bit at a loss here. Certainly, this use is not recommended because > printf will allocate tons of memory as part of the format processing. The +32 is an arbitrarily selected value to make the buffer large enough to be OK for the largest precision we need. It is an artifact of sloppy accounting for how much would be needed. The correct fix is to be more precise in computing what we need. -- You are receiving this mail because: You are on the CC list for the bug. >From glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Feb 18 14:38:03 2015 Return-Path: <glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org> Delivered-To: listarch-glibc-bugs@sources.redhat.com Received: (qmail 8499 invoked by alias); 18 Feb 2015 14:38:03 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: <glibc-bugs.sourceware.org> List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org> List-Post: <mailto:glibc-bugs@sourceware.org> List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs> Sender: glibc-bugs-owner@sourceware.org Delivered-To: mailing list glibc-bugs@sourceware.org Received: (qmail 8455 invoked by uid 48); 18 Feb 2015 14:37:59 -0000 From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org> To: glibc-bugs@sourceware.org Subject: [Bug nptl/17013] pthread_cond_broadcast could call lll_unlock() twice, breaking the shared data Date: Wed, 18 Feb 2015 14:38:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: nptl X-Bugzilla-Version: 2.18 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: WAITING X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security? X-Bugzilla-Changed-Fields: cc flagtypes.name Message-ID: <bug-17013-131-iBPTPcFpv8@http.sourceware.org/bugzilla/> In-Reply-To: <bug-17013-131@http.sourceware.org/bugzilla/> References: <bug-17013-131@http.sourceware.org/bugzilla/> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00234.txt.bz2 Content-length: 665 https://sourceware.org/bugzilla/show_bug.cgi?id\x17013 Florian Weimer <fweimer at redhat dot com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security? --- Comment #3 from Florian Weimer <fweimer at redhat dot com> --- This may have security implications. I asked on libc-alpha, on the original thread: https://sourceware.org/ml/libc-alpha/2015-02/msg00510.html -- You are receiving this mail because: You are on the CC list for the bug.
next prev parent reply other threads:[~2015-02-18 14:33 UTC|newest] Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-01-12 4:32 [Bug libc/17829] New: " nfxjfg at googlemail dot com 2015-01-12 4:33 ` [Bug libc/17829] " nfxjfg at googlemail dot com 2015-01-12 17:52 ` [Bug stdio/17829] " jsm28 at gcc dot gnu.org 2015-01-29 13:00 ` fweimer at redhat dot com 2015-02-18 14:27 ` fweimer at redhat dot com 2015-02-18 14:33 ` carlos at redhat dot com [this message] 2015-02-18 17:26 ` nfxjfg at googlemail dot com 2020-07-07 14:54 ` cvs-commit at gcc dot gnu.org 2022-08-30 8:23 ` cvs-commit at gcc dot gnu.org 2022-08-30 8:45 ` cvs-commit at gcc dot gnu.org 2022-08-30 9:20 ` cvs-commit at gcc dot gnu.org 2022-08-30 11:07 ` cvs-commit at gcc dot gnu.org
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=bug-17829-131-zrkoVfDgh8@http.sourceware.org/bugzilla/ \ --to=sourceware-bugzilla@sourceware.org \ --cc=glibc-bugs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).