[Bug stdio/30441] New: snprintf truncates output on extremely large buffer sizes

[Bug stdio/30441] New: snprintf truncates output on extremely large buffer sizes

[gabravier at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

            Bug ID: 30441
           Summary: snprintf truncates output on extremely large buffer
                    sizes
           Product: glibc
           Version: 2.37
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: stdio
          Assignee: unassigned at sourceware dot org
          Reporter: gabravier at gmail dot com
  Target Milestone: ---

#include <stdio.h>
#include <stdint.h>

int main(void) {
    char buf[100] = {};

    printf("snprintf: %d \nbuf: %s\n", snprintf(buf, SIZE_MAX, "test"), buf);
}

Compiling this program with:

$ gcc -ggdb3 test.c -o glibc

and then running it with:

$ /tmp/tmp.qoS3ELDYbg/testrun.sh ./glibc

outputs:

snprintf: 4 
buf: tes

I believe this is not conforming behavior, as although the provided buffer size
is larger than the buffer, snprintf should not be affected (i.e. I would not
expect the program to be considered to be invoking undefined behavior) as it
should only write as many characters as required by the formatted string. As
such, writing "tes" (truncating the buffer for no reason) is not conforming
behavior, as the provided buffer was large enough to contain the formatted
string "test".

(PS: Looks like POSIX says this call should result in EOVERFLOW, which libcs
like musl do, but looking at previous discussion it appears glibc has chosen to
disregard this - I'd doubt the intent was to randomly truncate strings when
given massive buffer sizes, though)

Tested on:

$ /tmp/tmp.qoS3ELDYbg/libc.so.6 | head -n1
GNU C Library (GNU libc) development release version 2.37.9000.

(note: I initially found this on my Fedora laptop with glibc 2.37, but was able
to reproduce it on recent trunk (specifically commit
d6c72f976c61d3c1465699f2bcad77e62bafe61d))

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[gabravier at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

--- Comment #1 from Gabriel Ravier <gabravier at gmail dot com> ---
PS: The bug appears to be caused by the fact that glibc internally tries to
compute a pointer to the end of the provided buffer, which results in a pretty
much guaranteed overflow given the provided value. This in turn ends up making
a later if statement of: `if (buf->base.write_ptr < buf->base.write_end)` fail,
where that if statement seems to have been meant to check for the case where
less characters than the buffer can contain have been written (which is the
case here, but the if statement thinks this is not the case because of the
pointer arithmetic overflow).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[michael.hudson at canonical dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

Michael Hudson-Doyle <michael.hudson at canonical dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |michael.hudson at canonical dot co
                   |                            |m

--- Comment #2 from Michael Hudson-Doyle <michael.hudson at canonical dot com> ---
This was discussed on libc-alpha in
hhttps://inbox.sourceware.org/libc-alpha/CAOOWow1L2ZMXE6S5pd3uKvAeHNQXMPtjew42LbAiQE-Pnd2ULg@mail.gmail.com/t/#u
which didn't really reach a strong conclusion but didn't seem to regard this as
something that should be supported.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[gabravier at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

--- Comment #3 from Gabriel Ravier <gabravier at gmail dot com> ---
Quite the interesting discussion, thanks for the link.

w.r.t. the points raised there, I generally agree that passing a value for n
larger than the actual buffer size is extremely dubious, but if the glibc
project's position is that this is an error in the C standard and the bug is
thus invalid, then I think a DR or something like that should be raised with
WG14 about this issue. Has anything like this been done ?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[michael.hudson at canonical dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

--- Comment #4 from Michael Hudson-Doyle <michael.hudson at canonical dot com> ---
Not to the best of my knowledge no. I agree it would be a good next step but
it's not something I am likely to get around to myself, if I'm honest.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[gabravier at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

Gabriel Ravier <gabravier at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |gabravier at gmail dot com

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[gabravier at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

--- Comment #5 from Gabriel Ravier <gabravier at gmail dot com> ---
I'm currently attempting to do so right now, if you want to know, although it's
somewhat unlikely that I'll get much progress on it anytime soon - right now I
haven't even managed to actually determine whether defect reports are still a
thing, and WG14 appears to be currently focused on getting C23 released (though
I'm thinking about potentially trying to get this into a ballot comment or
something like that).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[joseph at codesourcery dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

--- Comment #6 from joseph at codesourcery dot com <joseph at codesourcery dot com> ---
WG14 stopped using the "defect report" terminology when it turned out that 
the issues WG14 was using it for did not meet the ISO definition of what 
defect reports should be used for.  At that point, WG14 changed to 
referring to the issues as clarification requests instead.  Maintenance of 
a CR log then stopped when work on C2x started.

https://www.open-std.org/jtc1/sc22/wg14/www/docs/n3002.pdf has a proposal 
for a new issue tracking process.  This has not yet been discussed at a 
WG14 meeting, but maybe there could be an opportunity for discussion at 
the proposed October meeting (since a ballot will be running at that time, 
that meeting won't be discussing any proposed for changes to the C 
standard itself, which should allow more time for such administrative 
discussions).

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[nbowler at draconx dot ca]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

Nick Bowler <nbowler at draconx dot ca> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |nbowler at draconx dot ca

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |i at maskray dot me

--- Comment #7 from Andreas Schwab <schwab@linux-m68k.org> ---
*** Bug 31251 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug stdio/30441] snprintf truncates output on extremely large buffer sizes

[i at maskray dot me]

https://sourceware.org/bugzilla/show_bug.cgi?id=30441

Fangrui Song <i at maskray dot me> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://sourceware.org/bugz
                   |                            |illa/show_bug.cgi?id=28989

-- 
You are receiving this mail because:
You are on the CC list for the bug.