diff options
author | Jeff Law <law@redhat.com> | 2014-12-15 10:09:32 +0100 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2014-12-15 10:09:33 +0100 |
commit | a5357b7ce2a2982c5778435704bcdb55ce3667a0 (patch) | |
tree | 1292d6cb3f935bf84f07a1acc2fc92409dce1084 /stdio-common/bug23-2.c | |
parent | 3a12c70f137707074209241e6c6172ea25f9ab4a (diff) | |
download | glibc-a5357b7ce2a2982c5778435704bcdb55ce3667a0.tar.gz glibc-a5357b7ce2a2982c5778435704bcdb55ce3667a0.tar.xz glibc-a5357b7ce2a2982c5778435704bcdb55ce3667a0.zip |
CVE-2012-3406: Stack overflow in vfprintf [BZ #16617]
A larger number of format specifiers coudld cause a stack overflow, potentially allowing to bypass _FORTIFY_SOURCE format string protection.
Diffstat (limited to 'stdio-common/bug23-2.c')
-rw-r--r-- | stdio-common/bug23-2.c | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/stdio-common/bug23-2.c b/stdio-common/bug23-2.c new file mode 100644 index 0000000000..9e0cfe6860 --- /dev/null +++ b/stdio-common/bug23-2.c @@ -0,0 +1,70 @@ +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +static const char expected[] = "\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55\ +\n\ +a\n\ +abbcd55%%%%%%%%%%%%%%%%%%%%%%%%%%\n"; + +static int +do_test (void) +{ + char *buf = malloc (strlen (expected) + 1); + snprintf (buf, strlen (expected) + 1, + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "\n%1$s\n" "%1$s" "%2$s" "%2$s" "%3$s" "%4$s" "%5$d" "%5$d" + "%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%\n", + "a", "b", "c", "d", 5); + return strcmp (buf, expected) != 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |