[Bug stdio/26211] New: printf integer overflow calculating allocation size

[Bug stdio/26211] New: printf integer overflow calculating allocation size

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

            Bug ID: 26211
           Summary: printf integer overflow calculating allocation size
           Product: glibc
           Version: 2.32
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
  Target Milestone: ---

The following test segfaults on a 64-bit system (haven't tested 32-bit).  (Any
precision less than 0x7fffffe0 is OK; 0x7fffffe0 through 0x7fffffff result in
the crash.)

#include <stdio.h>
#include <stdlib.h>

int
main (void)
{
  FILE *fp;
  if ((fp = fopen ("/dev/null", "w")) == NULL)
    exit (1);
  fprintf (fp, "%2$.*1$a", 0x7fffffff, 1e200);
}

The problem is the code in printf_positional:

      /* Maybe the buffer is too small.  */
      if (MAX (prec, width) + EXTSIZ > WORK_BUFFER_SIZE)
        {
          if (__libc_use_alloca ((MAX (prec, width) + EXTSIZ)
                                 * sizeof (CHAR_T)))
            workend = ((CHAR_T *) alloca ((MAX (prec, width) + EXTSIZ)
                                          * sizeof (CHAR_T))
                       + (MAX (prec, width) + EXTSIZ));
          else
            {
              workstart = (CHAR_T *) malloc ((MAX (prec, width) + EXTSIZ)
                                             * sizeof (CHAR_T));
              if (workstart == NULL)
                {
                  done = -1;
                  goto all_done;
                }
              workend = workstart + (MAX (prec, width) + EXTSIZ);
            }
        }

The code in the implementation that doesn't use '$' argument numbers has a
check

        if (__glibc_unlikely (width >= INT_MAX / sizeof (CHAR_T) - EXTSIZ))
          {
            __set_errno (EOVERFLOW);
            done = -1;
            goto all_done;
          }

(and likewise for precision). The implementation for the case with '$' argument
numbers is missing that check. So MAX (prec, width) + EXTSIZ overflows.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Joseph Myers <jsm28@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6caddd34bd7ffb5ac4f36c8e036eee100c2cc535

commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Jul 7 14:54:12 2020 +0000

    Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).

    The vfprintf implementation (used for all printf-family functions)
    contains complicated logic to allocate internal buffers of a size
    depending on the width and precision used for a format, using either
    malloc or alloca depending on that size, and with consequent checks
    for size overflow and allocation failure.

    As noted in bug 26211, the version of that logic used when '$' plus
    argument number formats are in use is missing the overflow checks,
    which can result in segfaults (quite possibly exploitable, I didn't
    try to work that out) when the width or precision is in the range
    0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
    wprintf case on 32-bit systems, when the multiplication by sizeof
    (CHAR_T) can overflow).

    All that complicated logic in fact appears to be useless.  As far as I
    can tell, there has been no need (outside the floating-point printf
    code, which does its own allocations) for allocations depending on
    width or precision since commit
    3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
    of precision for integers", Sun Sep 12 21:23:32 1999 +0000).  Thus,
    this patch removes that logic completely, thereby fixing both problems
    with excessive allocations for large width and precision for
    non-floating-point formats, and the problem with missing overflow
    checks with such allocations.  Note that this does have the
    consequence that width and precision up to INT_MAX are now allowed
    where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
    been rejected, so could potentially expose any other overflows where
    the value would previously have been rejected by those removed checks.

    I believe this completely fixes bugs 14231 and 26211.

    Excessive allocations are still possible in the floating-point case
    (bug 21127), as are other integer or buffer overflows (see bug 26201).
    This does not address the cases where a precision larger than INT_MAX
    (embedded in the format string) would be meaningful without printf's
    return value overflowing (when it's used with a string format, or %g
    without the '#' flag, so the actual output will be much smaller), as
    mentioned in bug 17829 comment 8; using size_t internally for
    precision to handle that case would be complicated by struct
    printf_info being a public ABI.  Nor does it address the matter of an
    INT_MIN width being negated (bug 17829 comment 7; the same logic
    appears a second time in the file as well, in the form of multiplying
    by -1).  There may be other sources of memory allocations with malloc
    in printf functions as well (bug 24988, bug 16060).  From inspection,
    I think there are also integer overflows in two copies of "if ((width
    -= len) < 0)" logic (where width is int, len is size_t and a very long
    string could result in spurious padding being output on a 32-bit
    system before printf overflows the count of output characters).

    Tested for x86-64 and x86.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[jsm28 at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

Joseph Myers <jsm28 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.32
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Joseph Myers <jsm28 at gcc dot gnu.org> ---
Fixed for 2.32.

commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Jul 7 14:54:12 2020 +0000

    Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).

    The vfprintf implementation (used for all printf-family functions)
    contains complicated logic to allocate internal buffers of a size
    depending on the width and precision used for a format, using either
    malloc or alloca depending on that size, and with consequent checks
    for size overflow and allocation failure.

    As noted in bug 26211, the version of that logic used when '$' plus
    argument number formats are in use is missing the overflow checks,
    which can result in segfaults (quite possibly exploitable, I didn't
    try to work that out) when the width or precision is in the range
    0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
    wprintf case on 32-bit systems, when the multiplication by sizeof
    (CHAR_T) can overflow).

    All that complicated logic in fact appears to be useless.  As far as I
    can tell, there has been no need (outside the floating-point printf
    code, which does its own allocations) for allocations depending on
    width or precision since commit
    3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
    of precision for integers", Sun Sep 12 21:23:32 1999 +0000).  Thus,
    this patch removes that logic completely, thereby fixing both problems
    with excessive allocations for large width and precision for
    non-floating-point formats, and the problem with missing overflow
    checks with such allocations.  Note that this does have the
    consequence that width and precision up to INT_MAX are now allowed
    where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
    been rejected, so could potentially expose any other overflows where
    the value would previously have been rejected by those removed checks.

    I believe this completely fixes bugs 14231 and 26211.

    Excessive allocations are still possible in the floating-point case
    (bug 21127), as are other integer or buffer overflows (see bug 26201).
    This does not address the cases where a precision larger than INT_MAX
    (embedded in the format string) would be meaningful without printf's
    return value overflowing (when it's used with a string format, or %g
    without the '#' flag, so the actual output will be much smaller), as
    mentioned in bug 17829 comment 8; using size_t internally for
    precision to handle that case would be complicated by struct
    printf_info being a public ABI.  Nor does it address the matter of an
    INT_MIN width being negated (bug 17829 comment 7; the same logic
    appears a second time in the file as well, in the form of multiplying
    by -1).  There may be other sources of memory allocations with malloc
    in printf functions as well (bug 24988, bug 16060).  From inspection,
    I think there are also integer overflows in two copies of "if ((width
    -= len) < 0)" logic (where width is int, len is size_t and a very long
    string could result in spurious padding being output on a 32-bit
    system before printf overflows the count of output characters).

    Tested for x86-64 and x86.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #3 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Andreas Schwab <schwab@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=ca6466e8be32369a658035d69542d47603e58a99

commit ca6466e8be32369a658035d69542d47603e58a99
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Aug 29 15:05:40 2022 +0200

    Add test for bug 29530

    This tests for a bug that was introduced in commit edc1686af0 ("vfprintf:
    Reuse work_buffer in group_number") and fixed as a side effect of commit
    6caddd34bd ("Remove most vfprintf width/precision-dependent allocations
    (bug 14231, bug 26211).").

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1dbe841a672f5d6fdaf73c5d50774a2944a7d42b

commit 1dbe841a672f5d6fdaf73c5d50774a2944a7d42b
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Jul 7 14:54:12 2020 +0000

    Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).

    The vfprintf implementation (used for all printf-family functions)
    contains complicated logic to allocate internal buffers of a size
    depending on the width and precision used for a format, using either
    malloc or alloca depending on that size, and with consequent checks
    for size overflow and allocation failure.

    As noted in bug 26211, the version of that logic used when '$' plus
    argument number formats are in use is missing the overflow checks,
    which can result in segfaults (quite possibly exploitable, I didn't
    try to work that out) when the width or precision is in the range
    0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
    wprintf case on 32-bit systems, when the multiplication by sizeof
    (CHAR_T) can overflow).

    All that complicated logic in fact appears to be useless.  As far as I
    can tell, there has been no need (outside the floating-point printf
    code, which does its own allocations) for allocations depending on
    width or precision since commit
    3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
    of precision for integers", Sun Sep 12 21:23:32 1999 +0000).  Thus,
    this patch removes that logic completely, thereby fixing both problems
    with excessive allocations for large width and precision for
    non-floating-point formats, and the problem with missing overflow
    checks with such allocations.  Note that this does have the
    consequence that width and precision up to INT_MAX are now allowed
    where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
    been rejected, so could potentially expose any other overflows where
    the value would previously have been rejected by those removed checks.

    I believe this completely fixes bugs 14231 and 26211.

    Excessive allocations are still possible in the floating-point case
    (bug 21127), as are other integer or buffer overflows (see bug 26201).
    This does not address the cases where a precision larger than INT_MAX
    (embedded in the format string) would be meaningful without printf's
    return value overflowing (when it's used with a string format, or %g
    without the '#' flag, so the actual output will be much smaller), as
    mentioned in bug 17829 comment 8; using size_t internally for
    precision to handle that case would be complicated by struct
    printf_info being a public ABI.  Nor does it address the matter of an
    INT_MIN width being negated (bug 17829 comment 7; the same logic
    appears a second time in the file as well, in the form of multiplying
    by -1).  There may be other sources of memory allocations with malloc
    in printf functions as well (bug 24988, bug 16060).  From inspection,
    I think there are also integer overflows in two copies of "if ((width
    -= len) < 0)" logic (where width is int, len is size_t and a very long
    string could result in spurious padding being output on a 32-bit
    system before printf overflows the count of output characters).

    Tested for x86-64 and x86.

    (cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #5 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2c2357eedebcd93be932031f567c0c66c664131d

commit 2c2357eedebcd93be932031f567c0c66c664131d
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Jul 7 14:54:12 2020 +0000

    Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).

    The vfprintf implementation (used for all printf-family functions)
    contains complicated logic to allocate internal buffers of a size
    depending on the width and precision used for a format, using either
    malloc or alloca depending on that size, and with consequent checks
    for size overflow and allocation failure.

    As noted in bug 26211, the version of that logic used when '$' plus
    argument number formats are in use is missing the overflow checks,
    which can result in segfaults (quite possibly exploitable, I didn't
    try to work that out) when the width or precision is in the range
    0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
    wprintf case on 32-bit systems, when the multiplication by sizeof
    (CHAR_T) can overflow).

    All that complicated logic in fact appears to be useless.  As far as I
    can tell, there has been no need (outside the floating-point printf
    code, which does its own allocations) for allocations depending on
    width or precision since commit
    3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
    of precision for integers", Sun Sep 12 21:23:32 1999 +0000).  Thus,
    this patch removes that logic completely, thereby fixing both problems
    with excessive allocations for large width and precision for
    non-floating-point formats, and the problem with missing overflow
    checks with such allocations.  Note that this does have the
    consequence that width and precision up to INT_MAX are now allowed
    where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
    been rejected, so could potentially expose any other overflows where
    the value would previously have been rejected by those removed checks.

    I believe this completely fixes bugs 14231 and 26211.

    Excessive allocations are still possible in the floating-point case
    (bug 21127), as are other integer or buffer overflows (see bug 26201).
    This does not address the cases where a precision larger than INT_MAX
    (embedded in the format string) would be meaningful without printf's
    return value overflowing (when it's used with a string format, or %g
    without the '#' flag, so the actual output will be much smaller), as
    mentioned in bug 17829 comment 8; using size_t internally for
    precision to handle that case would be complicated by struct
    printf_info being a public ABI.  Nor does it address the matter of an
    INT_MIN width being negated (bug 17829 comment 7; the same logic
    appears a second time in the file as well, in the form of multiplying
    by -1).  There may be other sources of memory allocations with malloc
    in printf functions as well (bug 24988, bug 16060).  From inspection,
    I think there are also integer overflows in two copies of "if ((width
    -= len) < 0)" logic (where width is int, len is size_t and a very long
    string could result in spurious padding being output on a 32-bit
    system before printf overflows the count of output characters).

    Tested for x86-64 and x86.

    (cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #6 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.30/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d0aac8b4833c725d0682108066a210bbb7cf3bf4

commit d0aac8b4833c725d0682108066a210bbb7cf3bf4
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Aug 29 15:05:40 2022 +0200

    Add test for bug 29530

    This tests for a bug that was introduced in commit edc1686af0 ("vfprintf:
    Reuse work_buffer in group_number") and fixed as a side effect of commit
    6caddd34bd ("Remove most vfprintf width/precision-dependent allocations
    (bug 14231, bug 26211).").

    (cherry picked from commit ca6466e8be32369a658035d69542d47603e58a99)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #7 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.31/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c8f2a3e8038232f7707d11b4629f5d5cf32244fc

commit c8f2a3e8038232f7707d11b4629f5d5cf32244fc
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Aug 29 15:05:40 2022 +0200

    Add test for bug 29530

    This tests for a bug that was introduced in commit edc1686af0 ("vfprintf:
    Reuse work_buffer in group_number") and fixed as a side effect of commit
    6caddd34bd ("Remove most vfprintf width/precision-dependent allocations
    (bug 14231, bug 26211).").

    (cherry picked from commit ca6466e8be32369a658035d69542d47603e58a99)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #8 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=5b5dd5a43d0e13529a86332a5c10bdd5b5185e38

commit 5b5dd5a43d0e13529a86332a5c10bdd5b5185e38
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Jul 7 14:54:12 2020 +0000

    Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).

    The vfprintf implementation (used for all printf-family functions)
    contains complicated logic to allocate internal buffers of a size
    depending on the width and precision used for a format, using either
    malloc or alloca depending on that size, and with consequent checks
    for size overflow and allocation failure.

    As noted in bug 26211, the version of that logic used when '$' plus
    argument number formats are in use is missing the overflow checks,
    which can result in segfaults (quite possibly exploitable, I didn't
    try to work that out) when the width or precision is in the range
    0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
    wprintf case on 32-bit systems, when the multiplication by sizeof
    (CHAR_T) can overflow).

    All that complicated logic in fact appears to be useless.  As far as I
    can tell, there has been no need (outside the floating-point printf
    code, which does its own allocations) for allocations depending on
    width or precision since commit
    3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
    of precision for integers", Sun Sep 12 21:23:32 1999 +0000).  Thus,
    this patch removes that logic completely, thereby fixing both problems
    with excessive allocations for large width and precision for
    non-floating-point formats, and the problem with missing overflow
    checks with such allocations.  Note that this does have the
    consequence that width and precision up to INT_MAX are now allowed
    where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
    been rejected, so could potentially expose any other overflows where
    the value would previously have been rejected by those removed checks.

    I believe this completely fixes bugs 14231 and 26211.

    Excessive allocations are still possible in the floating-point case
    (bug 21127), as are other integer or buffer overflows (see bug 26201).
    This does not address the cases where a precision larger than INT_MAX
    (embedded in the format string) would be meaningful without printf's
    return value overflowing (when it's used with a string format, or %g
    without the '#' flag, so the actual output will be much smaller), as
    mentioned in bug 17829 comment 8; using size_t internally for
    precision to handle that case would be complicated by struct
    printf_info being a public ABI.  Nor does it address the matter of an
    INT_MIN width being negated (bug 17829 comment 7; the same logic
    appears a second time in the file as well, in the form of multiplying
    by -1).  There may be other sources of memory allocations with malloc
    in printf functions as well (bug 24988, bug 16060).  From inspection,
    I think there are also integer overflows in two copies of "if ((width
    -= len) < 0)" logic (where width is int, len is size_t and a very long
    string could result in spurious padding being output on a 32-bit
    system before printf overflows the count of output characters).

    Tested for x86-64 and x86.

    (cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #9 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.29/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6da40102c73018dd88bb959e460fa1425270d395

commit 6da40102c73018dd88bb959e460fa1425270d395
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Aug 29 15:05:40 2022 +0200

    Add test for bug 29530

    This tests for a bug that was introduced in commit edc1686af0 ("vfprintf:
    Reuse work_buffer in group_number") and fixed as a side effect of commit
    6caddd34bd ("Remove most vfprintf width/precision-dependent allocations
    (bug 14231, bug 26211).").

    (cherry picked from commit ca6466e8be32369a658035d69542d47603e58a99)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #10 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.28/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e1c0c00cc2bdd147bfcf362ada1443bee90465ec

commit e1c0c00cc2bdd147bfcf362ada1443bee90465ec
Author: Joseph Myers <joseph@codesourcery.com>
Date:   Tue Jul 7 14:54:12 2020 +0000

    Remove most vfprintf width/precision-dependent allocations (bug 14231, bug
26211).

    The vfprintf implementation (used for all printf-family functions)
    contains complicated logic to allocate internal buffers of a size
    depending on the width and precision used for a format, using either
    malloc or alloca depending on that size, and with consequent checks
    for size overflow and allocation failure.

    As noted in bug 26211, the version of that logic used when '$' plus
    argument number formats are in use is missing the overflow checks,
    which can result in segfaults (quite possibly exploitable, I didn't
    try to work that out) when the width or precision is in the range
    0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
    wprintf case on 32-bit systems, when the multiplication by sizeof
    (CHAR_T) can overflow).

    All that complicated logic in fact appears to be useless.  As far as I
    can tell, there has been no need (outside the floating-point printf
    code, which does its own allocations) for allocations depending on
    width or precision since commit
    3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
    of precision for integers", Sun Sep 12 21:23:32 1999 +0000).  Thus,
    this patch removes that logic completely, thereby fixing both problems
    with excessive allocations for large width and precision for
    non-floating-point formats, and the problem with missing overflow
    checks with such allocations.  Note that this does have the
    consequence that width and precision up to INT_MAX are now allowed
    where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
    been rejected, so could potentially expose any other overflows where
    the value would previously have been rejected by those removed checks.

    I believe this completely fixes bugs 14231 and 26211.

    Excessive allocations are still possible in the floating-point case
    (bug 21127), as are other integer or buffer overflows (see bug 26201).
    This does not address the cases where a precision larger than INT_MAX
    (embedded in the format string) would be meaningful without printf's
    return value overflowing (when it's used with a string format, or %g
    without the '#' flag, so the actual output will be much smaller), as
    mentioned in bug 17829 comment 8; using size_t internally for
    precision to handle that case would be complicated by struct
    printf_info being a public ABI.  Nor does it address the matter of an
    INT_MIN width being negated (bug 17829 comment 7; the same logic
    appears a second time in the file as well, in the form of multiplying
    by -1).  There may be other sources of memory allocations with malloc
    in printf functions as well (bug 24988, bug 16060).  From inspection,
    I think there are also integer overflows in two copies of "if ((width
    -= len) < 0)" logic (where width is int, len is size_t and a very long
    string could result in spurious padding being output on a 32-bit
    system before printf overflows the count of output characters).

    Tested for x86-64 and x86.

    (cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/26211] printf integer overflow calculating allocation size

[cvs-commit at gcc dot gnu.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26211

--- Comment #11 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
The release/2.28/master branch has been updated by Florian Weimer
<fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b915921fbf4d32bf68fc3d637413cf96236b3fd

commit 8b915921fbf4d32bf68fc3d637413cf96236b3fd
Author: Andreas Schwab <schwab@suse.de>
Date:   Mon Aug 29 15:05:40 2022 +0200

    Add test for bug 29530

    This tests for a bug that was introduced in commit edc1686af0 ("vfprintf:
    Reuse work_buffer in group_number") and fixed as a side effect of commit
    6caddd34bd ("Remove most vfprintf width/precision-dependent allocations
    (bug 14231, bug 26211).").

    (cherry picked from commit ca6466e8be32369a658035d69542d47603e58a99)

-- 
You are receiving this mail because:
You are on the CC list for the bug.