From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 32122 invoked by alias); 18 Feb 2015 14:33:02 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Received: (qmail 32009 invoked by uid 48); 18 Feb 2015 14:32:58 -0000 From: "carlos at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug stdio/17829] Incorrect handling of precision specifier in printf family Date: Wed, 18 Feb 2015 14:33:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: stdio X-Bugzilla-Version: 2.19 X-Bugzilla-Keywords: X-Bugzilla-Severity: critical X-Bugzilla-Who: carlos at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00233.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D17829 Carlos O'Donell changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |carlos at redhat dot com --- Comment #2 from Carlos O'Donell --- (In reply to Florian Weimer from comment #1) > Carlos, do you remember what the =E2=80=9C32=E2=80=9D in stdio-common/vfp= rintf.c guards > against? (You helped to fix some overflow-related issues in this area.) >=20 > 1574 if (prec > width > 1575 && prec > sizeof (work_buffer) / sizeof (work_buffer[0]= ) - > 32) > 1576 { > 1577 if (__glibc_unlikely (prec >=3D INT_MAX / sizeof (CHAR_= T) - > 32)) > 1578 { > 1579 __set_errno (EOVERFLOW); > 1580 done =3D -1; > 1581 goto all_done; > 1582 } > 1583 size_t needed =3D ((size_t) prec + 32) * sizeof (CHAR_T= ); >=20 > I'm a bit at a loss here. Certainly, this use is not recommended because > printf will allocate tons of memory as part of the format processing. The +32 is an arbitrarily selected value to make the buffer large enough to= be OK for the largest precision we need. It is an artifact of sloppy accounting for how much would be needed. The correct fix is to be more precise in computing what we need. --=20 You are receiving this mail because: You are on the CC list for the bug. >>From glibc-bugs-return-27499-listarch-glibc-bugs=sources.redhat.com@sourceware.org Wed Feb 18 14:38:03 2015 Return-Path: Delivered-To: listarch-glibc-bugs@sources.redhat.com Received: (qmail 8499 invoked by alias); 18 Feb 2015 14:38:03 -0000 Mailing-List: contact glibc-bugs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: glibc-bugs-owner@sourceware.org Delivered-To: mailing list glibc-bugs@sourceware.org Received: (qmail 8455 invoked by uid 48); 18 Feb 2015 14:37:59 -0000 From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug nptl/17013] pthread_cond_broadcast could call lll_unlock() twice, breaking the shared data Date: Wed, 18 Feb 2015 14:38:00 -0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: nptl X-Bugzilla-Version: 2.18 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: WAITING X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: security? X-Bugzilla-Changed-Fields: cc flagtypes.name Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 7bit X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2015-02/txt/msg00234.txt.bz2 Content-length: 665 https://sourceware.org/bugzilla/show_bug.cgi?id=17013 Florian Weimer changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fweimer at redhat dot com Flags| |security? --- Comment #3 from Florian Weimer --- This may have security implications. I asked on libc-alpha, on the original thread: https://sourceware.org/ml/libc-alpha/2015-02/msg00510.html -- You are receiving this mail because: You are on the CC list for the bug.