From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 280583858D1E; Tue, 16 Jan 2024 23:21:54 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 280583858D1E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1705447314; bh=XIYua3G2qQiUngk0V9WlHP+7LP1MGXrVRJfc+54WMk8=; h=From:To:Subject:Date:From; b=OwA2hrBz0+NLj/tmkBnQlD1eQ9+OtERqDa1xSuNcYZcD6L6jPrE6/dTxtnnNITRWz 6HhoAMz0Q7pUAP7QXysuwtBMB5vHEvBd5cxqP+HZbfS+P2I0lkRvZQWcEf2AONnMeC r87KO4ATLC1+u62OvvfEaI2qEGvxQen6BFXM6pMc= From: "i at maskray dot me" To: glibc-bugs@sourceware.org Subject: [Bug stdio/31251] New: libio: snprintf(str, SIZE_MAX, "Hello world!") does not write the last char Date: Tue, 16 Jan 2024 23:21:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: stdio X-Bugzilla-Version: 2.37 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: i at maskray dot me X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://sourceware.org/bugzilla/show_bug.cgi?id=3D31251 Bug ID: 31251 Summary: libio: snprintf(str, SIZE_MAX, "Hello world!") does not write the last char Product: glibc Version: 2.37 Status: NEW Severity: normal Priority: P2 Component: stdio Assignee: unassigned at sourceware dot org Reporter: i at maskray dot me Target Milestone: --- Since about https://sourceware.org/git/?p=3Dglibc.git;a=3Dcommit;h=3De88b9f0e5cc50cab57= a299dc7efe1a4eb385161d (stdio-common: Convert vfprintf and related functions to buffers) ``` % cat sn.c #include #include int main() { char str[20]; snprintf(str, SIZE_MAX, "Hello world!"); puts(str); } % cc sn.c % ./a.out Hello world ``` Call trace: __vsnprintf_internal=20 __printf_buffer_snprintf_init __printf_buffer_init __printf_buffer_init_end: `base + len` (write_end) may wrap around if `len` is too large (e.g. SIZE_MAX) __printf_buffer_snprintf_done The condition `if (buf->base.write_ptr < buf->base.write_end)` fails. `buf->base.write_ptr[-1] =3D '\0' drops the last char. Notes: Bounds-checked functions, such as printf_s , fprintf_s, sprintf_s, and snprintf_s, specify RSIZE_MAX as the upperbound. We don't define RSIZE_MAX. musl snprintf returns -1 with errno=3DEOVERFLOW when bufsz > INT_MAX. % cat sn.c #include #include int main() { char str[20]; int ret =3D snprintf(str, INT_MAX, "a!"); printf("%d %s\n", ret, str); ret =3D snprintf(str, INT_MAX+1L, "a!"); printf("%d %s\n", ret, str); } % ~/musl/out/debug/obj/musl-gcc sn.c -o sn.musl && ./sn.musl 2 a! -1 a! --=20 You are receiving this mail because: You are on the CC list for the bug.=