On Tue, 26 Sep 2023 12:41:47 +0900 Takashi Yano wrote: > Hi, > > I noticed that the following test case crashes at printf() with current > newlib. > > > #include > #include > #include > > int main() > { > setlocale(LC_ALL, "C.UTF-8"); > wprintf(L"%ls\n", L"aaaa"); /* or fwide(stdout, 1); */ > printf("%ls\n", L"bbbb"); /* <--- crash here */ > return 0; > } > > > I looked into this problem and found the cause. > > A narrow char string which can be odd bytes in length is cast into > a wide char string which should be even bytes in length in __sprint_r/ > __sfputs_r based on the __SWID flag. As a result, if the length is > odd bytes, the reading buffer runs over the buffer length, which causes > a crash. If the length is even bytes, crash does not happen, but garbage > is printed. This hapens if printf("%ls\r\n", L"bbbb"); is used instead. > ^^ > > The same issue seemed to be reported ten years ago. > https://sourceware.org/pipermail/newlib/2013/010831.html > > I have built a patch attached for this issue. > > With this patch, __sfputs_r/__sprint_r is split into two versions, one > is for vfprintf which does not handle wide string, and the other (newly > introduced __sfputws_r/__swprin_r) is for vfwprintf which handles wide > string. Please note that fprintf gets working for wide orient stream > just like BSD libc, which behaves differently from GNU libc. > > This patch also fixes nano-vfprintf.c as well as vfprintf.c/vfwprintf.c > in the same manner. v2: Remove __sprint_r from nano-vfprintf.c which does not seem to be used anymore. -- Takashi Yano