From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) by sourceware.org (Postfix) with ESMTPS id 389CB3858C50 for ; Sat, 18 Mar 2023 02:30:44 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 389CB3858C50 Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-x431.google.com with SMTP id l12so5923772wrm.10 for ; Fri, 17 Mar 2023 19:30:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1679106643; h=in-reply-to:from:cc:references:to:content-language:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=6QlpPnNuVa9z/ACzNuUa+Zgh0ZHiYROGczcwHe5msho=; b=lZ6JMFSxkM8Hbx6NczGHVCyNZe8ISzYNQ8nGUVqskrxLZdpOibFbUrvLv2sNGmpvy8 zSTjnNCPm0brb2mH/W6QpJZ7jK9PYMtQXNyNo80UlAkLdfdhtYqhTIv8kFzG/zxq/uR/ fIQpeMLXh1d+X+lmmdl1BdCUBqLn2FwgD1q9AEKIw7wl/JFDkxi/ha2C3lwFIKPWEipU tmOu7mYNoKgeQBb4bdYc22o2XjKGOQKuBAByNyjwIY+7yze7VlHiG/1kaik9OPOZ+Q+H MmXIk1mg8bYF2xRwQPg2z68Z0ug7qWufpTIvWz3tlYrGktjhdTZLbK7dXZokG1jUyWc4 EhXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679106643; h=in-reply-to:from:cc:references:to:content-language:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=6QlpPnNuVa9z/ACzNuUa+Zgh0ZHiYROGczcwHe5msho=; b=aFkqcHRH1jtpy+coS5Mde7dqIXh81X3DdyOKNLVGukbJnz85rzJqSw8xerFNR12GF3 5TRHojZxIaeZYOAHKPflqHRVfDpCIp6UNALBNgxY59CLhQxl1pEb0/65y4G2WO0evXk5 NMCUeGpfcQhicYITgEZL//sA3F0rsbbgKxhR9xAAAmRX0xtlsfrc8njypc0HOcHa95qW ejQz7GHc5RrGQ81s+Db0rYsjKWTyp7I9gmO49FXNilYJtJnorGrlXipjXncPpMmN5+BH k8GMfUxsUFpLfU/EeKExa+15Ba73gX9kK5bWQ6phpSXEwQJ1l7Y0OiQBpP8me7/971/B 4sdA== X-Gm-Message-State: AO0yUKWhf55mi55Nz2QUsEOkHsDC3pjsjfWT6xYSmrrsgKtLH/wBFGcD 0dfngwAFDVmuvBV8labMDIA= X-Google-Smtp-Source: AK7set+ut6Kt3nn5n1A9GOdEUwVFdvVA3e8IpXzMI9OfyQIBxoe1RGbb+wE0Nn5WvdSYHoT+OTwOLw== X-Received: by 2002:a5d:4d0c:0:b0:2ce:a9b5:37d4 with SMTP id z12-20020a5d4d0c000000b002cea9b537d4mr3652502wrt.21.1679106642743; Fri, 17 Mar 2023 19:30:42 -0700 (PDT) Received: from [192.168.0.160] ([170.253.51.134]) by smtp.gmail.com with ESMTPSA id c13-20020a5d4ccd000000b002c71d206329sm3227515wrt.55.2023.03.17.19.30.41 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 17 Mar 2023 19:30:42 -0700 (PDT) Message-ID: <9c8cae93-cb8c-8689-1f0e-2b87514d3702@gmail.com> Date: Sat, 18 Mar 2023 03:30:27 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.8.0 Subject: Re: UB status of snprintf on invalid ptr+size combination? Content-Language: en-US To: Vincent Lefevre , libc-alpha@sourceware.org References: <20230315123949.GC73312@zira.vinc17.org> <92810b6e-e7e6-6ffd-d33a-067b9f300059@redhat.com> <20230318020725.GA15308@zira.vinc17.org> Cc: Stephan Bergmann , Paul Eggert , Simon Chopin , Andreas Schwab From: Alejandro Colomar In-Reply-To: <20230318020725.GA15308@zira.vinc17.org> Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------98q7e8pAo0ZbLguGi8M8izPl" X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------98q7e8pAo0ZbLguGi8M8izPl Content-Type: multipart/mixed; boundary="------------Rkv8lj0CbtXSbzlfq7150m8C"; protected-headers="v1" From: Alejandro Colomar To: Vincent Lefevre , libc-alpha@sourceware.org Cc: Stephan Bergmann , Paul Eggert , Simon Chopin , Andreas Schwab Message-ID: <9c8cae93-cb8c-8689-1f0e-2b87514d3702@gmail.com> Subject: Re: UB status of snprintf on invalid ptr+size combination? References: <20230315123949.GC73312@zira.vinc17.org> <92810b6e-e7e6-6ffd-d33a-067b9f300059@redhat.com> <20230318020725.GA15308@zira.vinc17.org> In-Reply-To: <20230318020725.GA15308@zira.vinc17.org> --------------Rkv8lj0CbtXSbzlfq7150m8C Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Hello Vincent, On 3/18/23 03:07, Vincent Lefevre wrote: > On 2023-03-16 11:29:31 +0100, Stephan Bergmann wrote: >> On 15/03/2023 13:39, Vincent Lefevre wrote: >>> No, it is not obvious. If the C standard does not say that this is >>> the size of the array, then it does not have to be the size of the >>> array. The C standard just says: >>> >>> Otherwise, output characters beyond the n-1st are discarded rather= >>> than being written to the array, and a null character is written a= t >>> the end of the characters actually written into the array. >> >> But in 7.1.4 "Use of library functions" the standard also says >> >>> If a function argument is described as being an array, the pointer >>> passed to the function shall have a value such that all address >>> computations and accesses to objects (that would be valid if the >>> pointer did point to the first element of such an array) are >>> valid. >> >> which could be construed as meaning that the n-1st array element must = always >> be accessible, even if a given invocation is known to always generate = less >> then n output characters. >=20 > But the standard does not say that n is the size of the array. > The size of the array could be the maximum of n and the size > corresponding to the untruncated output string. I guess you mean the minimum? If it were the maximum, then it would never truncate. [assuming you meant minimum]: As Andreas mentioned, that's valid for ISO C, but POSIX is more restrictive. Here's a quote from fprintf(3posix): The snprintf() function shall be equivalent to sprintf(), with the addition of the n argument which states the size of the buffer referred to by s. It clearly specifies that 'n' is the size of the buffer, so implementations are free to assume that `s+n` is a valid pointer. >=20 > Similarly, for strncpy, I would not see n as the size of the arrays, > i.e. it is not allowed for the implementation to read characters > past a null character (possibly unless this does not have unwanted > effects), even though such characters would be among the first n > characters. The size argument to strncpy(3) is the size of the destination buffer, not the size of the input buffer. The input buffer must be either a string, or a character sequence at least as large as the destination buffer. Thus, in strncpy(3), reads are limited by `strnlen(src, size)`, but writes are limited by `size`. Cheers, Alex --=20 GPG key fingerprint: A9348594CE31283A826FBDD8D57633D441E25BB5 --------------Rkv8lj0CbtXSbzlfq7150m8C-- --------------98q7e8pAo0ZbLguGi8M8izPl Content-Type: application/pgp-signature; name="OpenPGP_signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="OpenPGP_signature" -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE6jqH8KTroDDkXfJAnowa+77/2zIFAmQVIkMACgkQnowa+77/ 2zKRhw//d7ddjz0jTv1z8r1AKnC8Z6G1bwOBPKs9+8/vn0s+Jp6BRWr0d5jp7nOx 3QUNqGwAYo73TLwawEPL27NDA49M23OFDbJU+FTlpj9ktQ1MVRWH6O4m6Uqfxoqd cXvf8B57A7ELu9UZqHu46jF92WSr26nhhkm8QQm+ZZhgrHyuBXmybe2JGkQq5QeP MB3wrAkj+jpwFg814u40n5LCAK2BdeRdYXgs4HKTcvu4BY1A+HOnbzBwEXd0XsNz XowI4H4QVhzOOJx2fe/koe9VHTX5fYkc6F5aHhQv0pe47+I0iejQYSu5nVFE84Mf nNx8LjvIXYpE7D9MZtCIaQYOaXNx8Y42ATdhSmOeC6w5bmjmYq9aErLC6KyDeXCZ lsQMqRaM8fILA1z6+ct2OPoOxdP2A5P20xEYnCqAXDymmMrTUuctkmQMgee6+tJ0 RQ2R517k0ymfTvVGe2RtIeN71W/lrYWuic7MDs5qQuhrz6CymkA75AfZyvf8lcAD w9fbKAOmb8J1pvIVVcDB3BT1wFK6ps96pj1wqzeNzmX6edt9Y140sq5LQ/BS5eZC BbZwF1lZm/Lw1ie4Av7TJNE8jVaFWF7VKtkaHt+EqbFTPKgPEWKUutM4oMxFGH5S K6NXRjTIwW0qq6L9OTRuWpJqt3jpCQn0TEZ1EE3aNQCYGHSAWn0= =OXOe -----END PGP SIGNATURE----- --------------98q7e8pAo0ZbLguGi8M8izPl--