From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 036B73858D38; Tue, 24 Jan 2023 09:44:57 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 036B73858D38 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1674553498; bh=Y1cFipd2YtZtgwBCxNl6eYD+3M3OSNWri/H1UnE3SUU=; h=From:To:Subject:Date:From; b=KQYvvLZ9J0Kvy8alFqcGVLkLG4y0eIysGFLRrN2QFz3yYmRFmbuTi2JuWDixsLSky OpLRYdOXr+1dEW7E+BOs/C3soh27JllxKN51AVzhPEpI1ETowx4oo5oVS8NkhPKgDH EQyiBFFQgpJSy1ovpoF529vCUKSnt2SfzqGYaCHc= From: "fweimer at redhat dot com" To: glibc-bugs@sourceware.org Subject: [Bug stdio/30039] New: __vsprintf_internal does not handle unespecified buffer length in fortify mode Date: Tue, 24 Jan 2023 09:44:56 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: stdio X-Bugzilla-Version: 2.37 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: fweimer at redhat dot com X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30039 Bug ID: 30039 Summary: __vsprintf_internal does not handle unespecified buffer length in fortify mode Product: glibc Version: 2.37 Status: NEW Severity: normal Priority: P1 Component: stdio Assignee: unassigned at sourceware dot org Reporter: fweimer at redhat dot com Target Milestone: --- >From libio/iovsprintf.c: /* When called from fortified sprintf/vsprintf, erase the destination buffer and try to detect overflows. When called from regular sprintf/vsprintf, do not erase the destination buffer, because known user code relies on this behavior (even though its undefined by ISO C), nor try to detect overflows. */ if ((mode_flags & PRINTF_CHK) !=3D 0) { string[0] =3D '\0'; __printf_buffer_init (&buf, string, maxlen, __printf_buffer_mode_sprintf_chk); } else { __printf_buffer_init (&buf, string, 0, __printf_buffer_mode_sprintf); buf.write_end =3D (char *) ~(uintptr_t) 0; /* End of address space. = */ } However, in some cases, this code is called for an inline expansion of spri= ntf where the buffer size is not known and maxlen =3D=3D -1. This makes buf->wr= ite_end =3D=3D buf->write_ptr - 1 (so end before active write position). This cause= s an assertion failure in __printf_buffer_as_file_commit: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_comm= it): assertion failed: file->stream._IO_write_ptr <=3D file->next->write_end I believe the assertion is not unreasonable, so I think we need to fix the buffer setup. --=20 You are receiving this mail because: You are on the CC list for the bug.=