From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 1F92C3858D35; Mon,  6 Jul 2020 23:03:37 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1F92C3858D35
From: "jsm28 at gcc dot gnu.org" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/26211] New: printf integer overflow calculating
 allocation size
Date: Mon, 06 Jul 2020 23:03:36 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: stdio
X-Bugzilla-Version: 2.32
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jsm28 at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
Message-ID: <bug-26211-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Mon, 06 Jul 2020 23:03:37 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D26211

            Bug ID: 26211
           Summary: printf integer overflow calculating allocation size
           Product: glibc
           Version: 2.32
            Status: NEW
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: jsm28 at gcc dot gnu.org
  Target Milestone: ---

The following test segfaults on a 64-bit system (haven't tested 32-bit).  (=
Any
precision less than 0x7fffffe0 is OK; 0x7fffffe0 through 0x7fffffff result =
in
the crash.)

#include <stdio.h>
#include <stdlib.h>

int
main (void)
{
  FILE *fp;
  if ((fp =3D fopen ("/dev/null", "w")) =3D=3D NULL)
    exit (1);
  fprintf (fp, "%2$.*1$a", 0x7fffffff, 1e200);
}

The problem is the code in printf_positional:

      /* Maybe the buffer is too small.  */
      if (MAX (prec, width) + EXTSIZ > WORK_BUFFER_SIZE)
        {
          if (__libc_use_alloca ((MAX (prec, width) + EXTSIZ)
                                 * sizeof (CHAR_T)))
            workend =3D ((CHAR_T *) alloca ((MAX (prec, width) + EXTSIZ)
                                          * sizeof (CHAR_T))
                       + (MAX (prec, width) + EXTSIZ));
          else
            {
              workstart =3D (CHAR_T *) malloc ((MAX (prec, width) + EXTSIZ)
                                             * sizeof (CHAR_T));
              if (workstart =3D=3D NULL)
                {
                  done =3D -1;
                  goto all_done;
                }
              workend =3D workstart + (MAX (prec, width) + EXTSIZ);
            }
        }

The code in the implementation that doesn't use '$' argument numbers has a
check

        if (__glibc_unlikely (width >=3D INT_MAX / sizeof (CHAR_T) - EXTSIZ=
))
          {
            __set_errno (EOVERFLOW);
            done =3D -1;
            goto all_done;
          }

(and likewise for precision). The implementation for the case with '$' argu=
ment
numbers is missing that check. So MAX (prec, width) + EXTSIZ overflows.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=