From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 1B41F3857347; Thu, 11 May 2023 21:46:42 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1B41F3857347 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1683841602; bh=kFWWSAz0U1hGy8Ij5fFBlcyx8RCWl8EMfbWCZPdsW8U=; h=From:To:Subject:Date:In-Reply-To:References:From; b=SutjA5p++KziH8j8AsgJq2JqD4mPAB7/s1J/IFc6slYump+aXtl+O6Rf5pfqHClX/ 6YIDvWfOSV/xiYPV1/cTXA0mT978kYfYJ2M7mpsGuoxrLfDqRCS5o01rD3bplW0TyW 5bDLHqh8ds0V8+rRcltkc+LRGHpVNb0ZDAUpAXWA= From: "gabravier at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug stdio/30441] snprintf truncates output on extremely large buffer sizes Date: Thu, 11 May 2023 21:46:41 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: stdio X-Bugzilla-Version: 2.37 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: gabravier at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D30441 --- Comment #1 from Gabriel Ravier --- PS: The bug appears to be caused by the fact that glibc internally tries to compute a pointer to the end of the provided buffer, which results in a pre= tty much guaranteed overflow given the provided value. This in turn ends up mak= ing a later if statement of: `if (buf->base.write_ptr < buf->base.write_end)` f= ail, where that if statement seems to have been meant to check for the case where less characters than the buffer can contain have been written (which is the case here, but the if statement thinks this is not the case because of the pointer arithmetic overflow). --=20 You are receiving this mail because: You are on the CC list for the bug.=