From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dmta0011.nifty.com (mta-snd00007.nifty.com [106.153.226.39]) by sourceware.org (Postfix) with ESMTPS id DCA363858D28 for ; Tue, 3 Oct 2023 08:30:19 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org DCA363858D28 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=nifty.ne.jp Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=nifty.ne.jp Received: from HP-Z230 by dmta0011.nifty.com with ESMTP id <20231003083017611.IUMZ.91956.HP-Z230@nifty.com>; Tue, 3 Oct 2023 17:30:17 +0900 Date: Tue, 3 Oct 2023 17:30:17 +0900 From: Takashi Yano To: newlib@sourceware.org Subject: Re: fprintf() crashes on wide-oriented stream. Message-Id: <20231003173017.e0108aee52bc579bde71abe0@nifty.ne.jp> In-Reply-To: <20230926173013.30bcc1e76ca307935d4d5950@nifty.ne.jp> References: <20230926124147.a4dd18b495c6e0347a64fec0@nifty.ne.jp> <20230926173013.30bcc1e76ca307935d4d5950@nifty.ne.jp> X-Mailer: Sylpheed 3.7.0 (GTK+ 2.24.30; i686-pc-mingw32) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_PASS,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: Ping? Is this Corinna's domain? On Tue, 26 Sep 2023 17:30:13 +0900 Takashi Yano wrote: > On Tue, 26 Sep 2023 12:41:47 +0900 > Takashi Yano wrote: > > Hi, > > > > I noticed that the following test case crashes at printf() with current > > newlib. > > > > > > #include > > #include > > #include > > > > int main() > > { > > setlocale(LC_ALL, "C.UTF-8"); > > wprintf(L"%ls\n", L"aaaa"); /* or fwide(stdout, 1); */ > > printf("%ls\n", L"bbbb"); /* <--- crash here */ > > return 0; > > } > > > > > > I looked into this problem and found the cause. > > > > A narrow char string which can be odd bytes in length is cast into > > a wide char string which should be even bytes in length in __sprint_r/ > > __sfputs_r based on the __SWID flag. As a result, if the length is > > odd bytes, the reading buffer runs over the buffer length, which causes > > a crash. If the length is even bytes, crash does not happen, but garbage > > is printed. This hapens if printf("%ls\r\n", L"bbbb"); is used instead. > > ^^ > > > > The same issue seemed to be reported ten years ago. > > https://sourceware.org/pipermail/newlib/2013/010831.html > > > > I have built a patch attached for this issue. > > > > With this patch, __sfputs_r/__sprint_r is split into two versions, one > > is for vfprintf which does not handle wide string, and the other (newly > > introduced __sfputws_r/__swprin_r) is for vfwprintf which handles wide > > string. Please note that fprintf gets working for wide orient stream > > just like BSD libc, which behaves differently from GNU libc. > > > > This patch also fixes nano-vfprintf.c as well as vfprintf.c/vfwprintf.c > > in the same manner. > > v2: Remove __sprint_r from nano-vfprintf.c which does not seem to be used > anymore. > > -- > Takashi Yano -- Takashi Yano