From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by sourceware.org (Postfix) with ESMTPS id 7E5113870C27 for ; Thu, 17 Mar 2022 19:32:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 7E5113870C27 Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-674-i7TSkqg4PYe1DEsJedsJJg-1; Thu, 17 Mar 2022 15:32:12 -0400 X-MC-Unique: i7TSkqg4PYe1DEsJedsJJg-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B79EA3801ED0 for ; Thu, 17 Mar 2022 19:32:11 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.88]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 0B41E469A51 for ; Thu, 17 Mar 2022 19:32:10 +0000 (UTC) From: Florian Weimer To: libc-alpha@sourceware.org Subject: [PATCH 26/26] libio: Convert __vswprintf_internal to buffers (bug 27857) In-Reply-To: References: X-From-Line: 9bed5c50fe3e6c5872c94c451413ca50a2051ef5 Mon Sep 17 00:00:00 2001 Message-Id: <9bed5c50fe3e6c5872c94c451413ca50a2051ef5.1647544751.git.fweimer@redhat.com> Date: Thu, 17 Mar 2022 20:32:09 +0100 User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain X-Spam-Status: No, score=-11.8 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H5, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Mar 2022 19:32:15 -0000 Always null-terminate the buffer and set E2BIG if the buffer is too small. This fixes bug 27857. --- include/printf_buffer.h | 1 + libio/tst_swprintf.c | 31 ++++++++- libio/vswprintf.c | 100 +++++----------------------- manual/stdio.texi | 7 +- stdio-common/wprintf_buffer_flush.c | 6 ++ 5 files changed, 57 insertions(+), 88 deletions(-) diff --git a/include/printf_buffer.h b/include/printf_buffer.h index 8b9a09647d..51d5dfc84e 100644 --- a/include/printf_buffer.h +++ b/include/printf_buffer.h @@ -194,6 +194,7 @@ bool __printf_buffer_flush (struct __printf_buffer *buf) attribute_hidden; enum __wprintf_buffer_mode { __wprintf_buffer_mode_failed, + __wprintf_buffer_mode_swprintf, __wprintf_buffer_mode_to_file, }; diff --git a/libio/tst_swprintf.c b/libio/tst_swprintf.c index 5ede402fff..6684749807 100644 --- a/libio/tst_swprintf.c +++ b/libio/tst_swprintf.c @@ -1,4 +1,5 @@ #include +#include #include #include #include @@ -37,6 +38,8 @@ do_test (void) for (n = 0; n < array_length(tests); ++n) { + wmemset (buf, 0xabcd, array_length (buf)); + errno = 0; ssize_t res = swprintf (buf, tests[n].n, L"%s", tests[n].str); if (tests[n].exp < 0 && res >= 0) @@ -52,9 +55,31 @@ do_test (void) swprintf (buf, %Zu, L\"%%s\", \"%s\") expected to return %Zd, but got %Zd\n", tests[n].n, tests[n].str, tests[n].exp, res); } - else - printf ("swprintf (buf, %Zu, L\"%%s\", \"%s\") OK\n", - tests[n].n, tests[n].str); + else if (res < 0 + && tests[n].n > 0 + && wcsnlen (buf, array_length (buf)) == array_length (buf)) + { + support_record_failure (); + printf ("\ +error: swprintf (buf, %Zu, L\"%%s\", \"%s\") missing null terminator\n", + tests[n].n, tests[n].str); + } + else if (res < 0 + && tests[n].n > 0 + && wcsnlen (buf, array_length (buf)) < array_length (buf) + && buf[wcsnlen (buf, array_length (buf)) + 1] != 0xabcd) + { + support_record_failure (); + printf ("\ +error: swprintf (buf, %Zu, L\"%%s\", \"%s\") out of bounds write\n", + tests[n].n, tests[n].str); + } + + if (res < 0 && tests[n].n < 0) + TEST_COMPARE (errno, E2BIG); + + printf ("swprintf (buf, %Zu, L\"%%s\", \"%s\") OK\n", + tests[n].n, tests[n].str); } TEST_COMPARE (swprintf (buf, array_length (buf), L"%.0s", "foo"), 0); diff --git a/libio/vswprintf.c b/libio/vswprintf.c index 5a9ccdff3e..f53545c806 100644 --- a/libio/vswprintf.c +++ b/libio/vswprintf.c @@ -24,101 +24,37 @@ This exception applies to code released by its copyright holders in files containing the exception. */ -#include "libioP.h" -#include "strfile.h" - - -static wint_t _IO_wstrn_overflow (FILE *fp, wint_t c) __THROW; - -static wint_t -_IO_wstrn_overflow (FILE *fp, wint_t c) -{ - /* When we come to here this means the user supplied buffer is - filled. But since we must return the number of characters which - would have been written in total we must provide a buffer for - further use. We can do this by writing on and on in the overflow - buffer in the _IO_wstrnfile structure. */ - _IO_wstrnfile *snf = (_IO_wstrnfile *) fp; - - if (fp->_wide_data->_IO_buf_base != snf->overflow_buf) - { - _IO_wsetb (fp, snf->overflow_buf, - snf->overflow_buf + (sizeof (snf->overflow_buf) - / sizeof (wchar_t)), 0); - - fp->_wide_data->_IO_write_base = snf->overflow_buf; - fp->_wide_data->_IO_read_base = snf->overflow_buf; - fp->_wide_data->_IO_read_ptr = snf->overflow_buf; - fp->_wide_data->_IO_read_end = (snf->overflow_buf - + (sizeof (snf->overflow_buf) - / sizeof (wchar_t))); - } - - fp->_wide_data->_IO_write_ptr = snf->overflow_buf; - fp->_wide_data->_IO_write_end = snf->overflow_buf; - - /* Since we are not really interested in storing the characters - which do not fit in the buffer we simply ignore it. */ - return c; -} - - -const struct _IO_jump_t _IO_wstrn_jumps libio_vtable attribute_hidden = -{ - JUMP_INIT_DUMMY, - JUMP_INIT(finish, _IO_wstr_finish), - JUMP_INIT(overflow, (_IO_overflow_t) _IO_wstrn_overflow), - JUMP_INIT(underflow, (_IO_underflow_t) _IO_wstr_underflow), - JUMP_INIT(uflow, (_IO_underflow_t) _IO_wdefault_uflow), - JUMP_INIT(pbackfail, (_IO_pbackfail_t) _IO_wstr_pbackfail), - JUMP_INIT(xsputn, _IO_wdefault_xsputn), - JUMP_INIT(xsgetn, _IO_wdefault_xsgetn), - JUMP_INIT(seekoff, _IO_wstr_seekoff), - JUMP_INIT(seekpos, _IO_default_seekpos), - JUMP_INIT(setbuf, _IO_default_setbuf), - JUMP_INIT(sync, _IO_default_sync), - JUMP_INIT(doallocate, _IO_wdefault_doallocate), - JUMP_INIT(read, _IO_default_read), - JUMP_INIT(write, _IO_default_write), - JUMP_INIT(seek, _IO_default_seek), - JUMP_INIT(close, _IO_default_close), - JUMP_INIT(stat, _IO_default_stat), - JUMP_INIT(showmanyc, _IO_default_showmanyc), - JUMP_INIT(imbue, _IO_default_imbue) -}; - +#include +#include +#include +#include int __vswprintf_internal (wchar_t *string, size_t maxlen, const wchar_t *format, va_list args, unsigned int mode_flags) { - _IO_wstrnfile sf; - int ret; - struct _IO_wide_data wd; -#ifdef _IO_MTSAFE_IO - sf.f._sbf._f._lock = NULL; -#endif - if (maxlen == 0) /* Since we have to write at least the terminating L'\0' a buffer length of zero always makes the function fail. */ return -1; - _IO_no_init (&sf.f._sbf._f, _IO_USER_LOCK, 0, &wd, &_IO_wstrn_jumps); - _IO_fwide (&sf.f._sbf._f, 1); - string[0] = L'\0'; - _IO_wstr_init_static (&sf.f._sbf._f, string, maxlen - 1, string); - ret = __vfwprintf_internal ((FILE *) &sf.f._sbf, format, args, mode_flags); + struct __wprintf_buffer buf; + __wprintf_buffer_init (&buf, string, maxlen, __wprintf_buffer_mode_swprintf); - if (sf.f._sbf._f._wide_data->_IO_buf_base == sf.overflow_buf) - /* ISO C99 requires swprintf/vswprintf to return an error if the - output does not fit in the provided buffer. */ - return -1; + __wprintf_buffer (&buf, format, args, mode_flags); + + if (buf.write_ptr == buf.write_end) + { + /* Buffer has been filled exactly, excluding the null wide + character. This is an error because the null wide character + is required. */ + buf.write_end[-1] = L'\0'; + return -1; + } - /* Terminate the string. */ - *sf.f._sbf._f._wide_data->_IO_write_ptr = '\0'; + buf.write_ptr[0] = L'\0'; - return ret; + return __wprintf_buffer_done (&buf); } int diff --git a/manual/stdio.texi b/manual/stdio.texi index 753c50920d..278ab462ae 100644 --- a/manual/stdio.texi +++ b/manual/stdio.texi @@ -2412,9 +2412,10 @@ allocate at least @var{size} wide characters for the string @var{ws}. The return value is the number of characters generated for the given input, excluding the trailing null. If not all output fits into the -provided buffer a negative value is returned. You should try again with -a bigger output string. @emph{Note:} this is different from how -@code{snprintf} handles this situation. +provided buffer a negative value is returned, and @code{errno} is set to +@code{E2BIG}. (The setting of @code{errno} is a GNU extension.) You +should try again with a bigger output string. @emph{Note:} this is +different from how @code{snprintf} handles this situation. Note that the corresponding narrow stream function takes fewer parameters. @code{swprintf} in fact corresponds to the @code{snprintf} diff --git a/stdio-common/wprintf_buffer_flush.c b/stdio-common/wprintf_buffer_flush.c index 2d91095cca..46af0f348f 100644 --- a/stdio-common/wprintf_buffer_flush.c +++ b/stdio-common/wprintf_buffer_flush.c @@ -16,6 +16,7 @@ License along with the GNU C Library; if not, see . */ +#include #include #include "printf_buffer-wchar_t.h" @@ -31,6 +32,11 @@ __wprintf_buffer_do_flush (struct __wprintf_buffer *buf) case __wprintf_buffer_mode_to_file: __wprintf_buffer_flush_to_file ((struct __wprintf_buffer_to_file *) buf); return; + case __wprintf_buffer_mode_swprintf: + buf->write_end[-1] = L'\0'; + __set_errno (E2BIG); + __wprintf_buffer_mark_failed (buf); + return; } __builtin_trap (); } -- 2.35.1