From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 128897 invoked by alias); 7 Jun 2017 10:02:02 -0000 Mailing-List: contact newlib-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: newlib-owner@sourceware.org Received: (qmail 127696 invoked by uid 89); 7 Jun 2017 10:02:00 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-24.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS,T_RP_MATCHES_RCVD,UNSUBSCRIBE_BODY autolearn=ham version=3.3.2 spammy=H*c:application X-HELO: mx1.redhat.com Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Wed, 07 Jun 2017 10:01:55 +0000 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 214C3C04B31B for ; Wed, 7 Jun 2017 10:01:58 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mx1.redhat.com 214C3C04B31B Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; dmarc=none (p=none dis=none) header.from=redhat.com Authentication-Results: ext-mx07.extmail.prod.ext.phx2.redhat.com; spf=pass smtp.mailfrom=vinschen@redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 mx1.redhat.com 214C3C04B31B Received: from calimero.vinschen.de (ovpn-117-161.ams2.redhat.com [10.36.117.161]) by smtp.corp.redhat.com (Postfix) with ESMTP id B94EC62926 for ; Wed, 7 Jun 2017 10:01:57 +0000 (UTC) Received: by calimero.vinschen.de (Postfix, from userid 500) id 24EDDA8068C; Wed, 7 Jun 2017 12:01:57 +0200 (CEST) Date: Wed, 07 Jun 2017 10:02:00 -0000 From: Corinna Vinschen To: newlib@sourceware.org Subject: Re: Fix modification of string literal by swprintf Message-ID: <20170607100157.GB18287@calimero.vinschen.de> Reply-To: newlib@sourceware.org Mail-Followup-To: newlib@sourceware.org References: <608ad190-c35e-76b1-99d3-e96dd64d85e2@foss.arm.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="hHWLQfXTYDoKhP50" Content-Disposition: inline In-Reply-To: <608ad190-c35e-76b1-99d3-e96dd64d85e2@foss.arm.com> User-Agent: Mutt/1.8.0 (2017-02-23) X-SW-Source: 2017/txt/msg00387.txt.bz2 --hHWLQfXTYDoKhP50 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-length: 4013 On Jun 5 09:59, Thomas Preudhomme wrote: > Don't over-read memory returned by _DTOA_R, and never write to it > since the result might be a string literal. >=20 > For example, when doing: > swprintf(tt, 20, L"%.*f", 6, 0.0); >=20 > we will get back "0". >=20 > Instead, write the result returned by _DTOA_R to the output buffer. > After this, write the 0 chars directly to the the output buffer > (if there are any). This also has the (marginal) advantage that > we read/write less memory overall. >=20 > The patch, contributed by Silviu Baranga was tested against libcxx testsu= ite > and showed no regression. Please find the patch in git format-patch format > in attachment. >=20 > Best regards, >=20 > Thomas > >From 7a31cfb01a0b089daf2bed93b742b6edbf4cba0c Mon Sep 17 00:00:00 2001 > From: Silviu Baranga > Date: Mon, 5 Jun 2017 09:54:42 +0100 > Subject: [PATCH] Don't overread or write memory returned by _DTOA_R >=20 > Don't over-read memory returned by _DTOA_R, and never write to it > since the result might be a string literal. >=20 > For example, when doing: > swprintf(tt, 20, L"%.*f", 6, 0.0); >=20 > we will get back "0". >=20 > Instead, write the result returned by _DTOA_R to the output buffer. > After this, write the 0 chars directly to the the output buffer > (if there are any). This also has the (marginal) advantage that > we read/write less memory overall. > --- > newlib/libc/locale/setlocale.h | 2 +- > newlib/libc/stdio/vfwprintf.c | 24 ++++++++++++------------ > 2 files changed, 13 insertions(+), 13 deletions(-) >=20 > diff --git a/newlib/libc/locale/setlocale.h b/newlib/libc/locale/setlocal= e.h > index 85a38d5..1440d0e 100644 > --- a/newlib/libc/locale/setlocale.h > +++ b/newlib/libc/locale/setlocale.h > @@ -227,7 +227,7 @@ __get_locale_r (struct _reent *r) > _ELIDABLE_INLINE struct __locale_t * > __get_current_locale (void) > { > - return _REENT->_locale ?: __get_global_locale (); > + return _REENT->_locale ?: __get_global_locale (); // version for !_MB_= CAPABLE? > } This doesn't belong here. Also, the code is already fine for !_MB_CAPABLE as well. > /* Only access fixed "C" locale using this function. Fake for !_MB_CAPA= BLE > diff --git a/newlib/libc/stdio/vfwprintf.c b/newlib/libc/stdio/vfwprintf.c > index f0179a0..1bec9b2 100644 > --- a/newlib/libc/stdio/vfwprintf.c > +++ b/newlib/libc/stdio/vfwprintf.c > @@ -1627,13 +1627,20 @@ wcvt(struct _reent *data, _PRINTF_FLOAT_TYPE valu= e, int ndigits, int flags, >=20=20 > { > char *digits, *bp, *rve; > -#ifndef _MB_CAPABLE > int i; > -#endif >=20=20 > digits =3D _DTOA_R (data, value, mode, ndigits, decpt, &dsgn, &rve); >=20=20 > +#ifdef _MB_CAPABLE > + _mbsnrtowcs_r (data, buf, (const char **) &digits, rve - digits, > + len, NULL); > +#else > + for (i =3D 0; i < rve - digits && i < len; ++i) > + buf[i] =3D (wchar_t) digits[i]; > +#endif > + > if ((ch !=3D L'g' && ch !=3D L'G') || flags & ALT) { /* Print trailin= g zeros */ > + char *padding =3D rve; > bp =3D digits + ndigits; > if (ch =3D=3D L'f' || ch =3D=3D L'F') { > if (*digits =3D=3D L'0' && value) > @@ -1642,18 +1649,11 @@ wcvt(struct _reent *data, _PRINTF_FLOAT_TYPE valu= e, int ndigits, int flags, > } > if (value =3D=3D 0) /* kludge for __dtoa irregularity */ > rve =3D bp; > - while (rve < bp) > - *rve++ =3D '0'; > - } >=20=20 > + for (i =3D padding - digits; i < rve - digits && i < len; ++i) > + buf[i] =3D L'0'; Appending zeros here without incrementing rve... > + } > *length =3D rve - digits; /* full length of the string */ ...leads to incorrect setting of *length here. Or am I missing something? > -#ifdef _MB_CAPABLE > - _mbsnrtowcs_r (data, buf, (const char **) &digits, *length, > - len, NULL); > -#else > - for (i =3D 0; i < *length && i < len; ++i) > - buf[i] =3D (wchar_t) digits[i]; > -#endif > return buf; > } > } > --=20 > 1.9.1 >=20 Corinna --=20 Corinna Vinschen Cygwin Maintainer Red Hat --hHWLQfXTYDoKhP50 Content-Type: application/pgp-signature; name="signature.asc" Content-length: 819 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJZN88UAAoJEPU2Bp2uRE+g3YoQAKA43V9V+fmTCSeLUdm+qbI6 cq0MUmI+x6UxD768ufdA5A767cJjtcbscUbKpiv34dBkd+XsR1n79Lz4XkoxzqLX hcqL85tqmWGW5YElUhTi8Yq+cUS1evFMvqYT5ECr066j3F9Swv29ob0u8AgluuRi Gw1Q7Pl536+3TuWpX5OVLBIcS4uG/bL3gfkDNfGrVqsDFLlGVSRBgyu8ARlJ4fHl SMfAgWkgbe+8nx1nhh6ZckAbQj6GXQhe1eonKZXTTxKLTaefTPZ4HdWcEFSx92f9 y3hculdEsDJ+j1+zAeI/LTkQn85/qlbXSBaoY79hE5gBJQ/B9PLoqTvgEPMUqtZv kcfa2BJfzhIgyi6cr/ppvj9f4NjuwAV5KMQQ2jZxkz4vVb39gukVq6Iep6l2NZs4 ojQn2cX2s+A1WHhlSHemaWHbEKUtKS0U5u66hwbfcaERTI5BgrVtzF0IdmJlGcDL I4WeQJxAEN1tIgSINLt0YoVxBRIyzyzC0tImCrZsP84Tsgt52eF/kWKSpUnmfpHm x8OmcBgaVZQaB2NLOnNh2pKdE6aVgdQ8i0S0kHhR+2P7V7K1GGLNMxHhPVd5ea4S W0+Sv67d460RMDRiBrG3/KCgOR+K3J/iccA8udCJ4C9Ddxh/C2kLQHwdJcNz53kp 7m57bYswpUtwDYLvwG49 =W9mU -----END PGP SIGNATURE----- --hHWLQfXTYDoKhP50--