From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
	id C4B793858D38; Wed, 25 Jan 2023 10:19:51 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C4B793858D38
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org;
	s=default; t=1674641991;
	bh=2HLr7dlarVbns0m+hjmd+73a59UHYC6D5BluAVqdleo=;
	h=From:To:Subject:Date:In-Reply-To:References:From;
	b=wQUIahjnZpQBOedMJxq01Rv0Yx/RoicV4ucRi78dRNCfq9/WfRggAAPxXPtOo557n
	 eQx78fe6mzaFazdyoKzHj+/sKAEZ5wpI6pUW/quCTd0Th2rIqxBr3B8WDWGADcP7gY
	 iYf/eGy7//kvGTsDWGB0FKA2hG8HJ5Pc+rVxHjTs=
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug stdio/30039] __vsprintf_internal does not handle unspecified
 buffer length in fortify mode
Date: Wed, 25 Jan 2023 10:19:51 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: stdio
X-Bugzilla-Version: 2.37
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: P1
X-Bugzilla-Assigned-To: fweimer at redhat dot com
X-Bugzilla-Target-Milestone: 2.37
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_status resolution flagtypes.name
 target_milestone
Message-ID: <bug-30039-131-aqIVR61Sh9@http.sourceware.org/bugzilla/>
In-Reply-To: <bug-30039-131@http.sourceware.org/bugzilla/>
References: <bug-30039-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
List-Id: <glibc-bugs.sourceware.org>

https://sourceware.org/bugzilla/show_bug.cgi?id=3D30039

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
              Flags|                            |security-
   Target Milestone|---                         |2.37

--- Comment #2 from Florian Weimer <fweimer at redhat dot com> ---
Fixed for 2.37 via:

commit 0d50f477f47ba637b54fb03ac48d769ec4543e8d
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Jan 25 08:01:00 2023 +0100

    stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)

    This shows up as an assertion failure when sprintf is called with
    a specifier like "%.8g" and libquadmath is linked in:

    Fatal glibc error: printf_buffer_as_file.c:31
      (__printf_buffer_as_file_commit): assertion failed:
      file->stream._IO_write_ptr <=3D file->next->write_end

    Fix this by detecting pointer wraparound in __vsprintf_internal
    and saturate the addition to the end of the address space instead.

    Reviewed-by: Carlos O'Donell <carlos@redhat.com>
    Tested-by: Carlos O'Donell <carlos@redhat.com>

Introduce in the vfprintf refactoring, so need for backporting.

--=20
You are receiving this mail because:
You are on the CC list for the bug.=