public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
From: "carlos at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/17829] Incorrect handling of precision specifier in printf family
Date: Wed, 18 Feb 2015 14:33:00 -0000 [thread overview]
Message-ID: <bug-17829-131-zrkoVfDgh8@http.sourceware.org/bugzilla/> (raw)
In-Reply-To: <bug-17829-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=17829
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--- Comment #2 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Florian Weimer from comment #1)
> Carlos, do you remember what the “32” in stdio-common/vfprintf.c guards
> against? (You helped to fix some overflow-related issues in this area.)
>
> 1574 if (prec > width
> 1575 && prec > sizeof (work_buffer) / sizeof (work_buffer[0]) -
> 32)
> 1576 {
> 1577 if (__glibc_unlikely (prec >= INT_MAX / sizeof (CHAR_T) -
> 32))
> 1578 {
> 1579 __set_errno (EOVERFLOW);
> 1580 done = -1;
> 1581 goto all_done;
> 1582 }
> 1583 size_t needed = ((size_t) prec + 32) * sizeof (CHAR_T);
>
> I'm a bit at a loss here. Certainly, this use is not recommended because
> printf will allocate tons of memory as part of the format processing.
The +32 is an arbitrarily selected value to make the buffer large enough to be
OK for the largest precision we need. It is an artifact of sloppy accounting
for how much would be needed. The correct fix is to be more precise in
computing what we need.
--
You are receiving this mail because:
You are on the CC list for the bug.
>From glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Feb 18 14:38:03 2015
Return-Path: <glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org>
Delivered-To: listarch-glibc-bugs@sources.redhat.com
Received: (qmail 8499 invoked by alias); 18 Feb 2015 14:38:03 -0000
Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <glibc-bugs.sourceware.org>
List-Subscribe: <mailto:glibc-bugs-subscribe@sourceware.org>
List-Post: <mailto:glibc-bugs@sourceware.org>
List-Help: <mailto:glibc-bugs-help@sourceware.org>, <http://sourceware.org/lists.html#faqs>
Sender: glibc-bugs-owner@sourceware.org
Delivered-To: mailing list glibc-bugs@sourceware.org
Received: (qmail 8455 invoked by uid 48); 18 Feb 2015 14:37:59 -0000
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug nptl/17013] pthread_cond_broadcast could call lll_unlock() twice, breaking the shared data
Date: Wed, 18 Feb 2015 14:38:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: nptl
X-Bugzilla-Version: 2.18
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: WAITING
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security?
X-Bugzilla-Changed-Fields: cc flagtypes.name
Message-ID: <bug-17013-131-iBPTPcFpv8@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-17013-131@http.sourceware.org/bugzilla/>
References: <bug-17013-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-02/txt/msg00234.txt.bz2
Content-length: 665
https://sourceware.org/bugzilla/show_bug.cgi?id\x17013
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fweimer at redhat dot com
Flags| |security?
--- Comment #3 from Florian Weimer <fweimer at redhat dot com> ---
This may have security implications. I asked on libc-alpha, on the original
thread: https://sourceware.org/ml/libc-alpha/2015-02/msg00510.html
--
You are receiving this mail because:
You are on the CC list for the bug.
next prev parent reply other threads:[~2015-02-18 14:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-12 4:32 [Bug libc/17829] New: " nfxjfg at googlemail dot com
2015-01-12 4:33 ` [Bug libc/17829] " nfxjfg at googlemail dot com
2015-01-12 17:52 ` [Bug stdio/17829] " jsm28 at gcc dot gnu.org
2015-01-29 13:00 ` fweimer at redhat dot com
2015-02-18 14:27 ` fweimer at redhat dot com
2015-02-18 14:33 ` carlos at redhat dot com [this message]
2015-02-18 17:26 ` nfxjfg at googlemail dot com
2020-07-07 14:54 ` cvs-commit at gcc dot gnu.org
2022-08-30 8:23 ` cvs-commit at gcc dot gnu.org
2022-08-30 8:45 ` cvs-commit at gcc dot gnu.org
2022-08-30 9:20 ` cvs-commit at gcc dot gnu.org
2022-08-30 11:07 ` cvs-commit at gcc dot gnu.org
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-17829-131-zrkoVfDgh8@http.sourceware.org/bugzilla/ \
--to=sourceware-bugzilla@sourceware.org \
--cc=glibc-bugs@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).