summary refs log tree commit diff
path: root/stdio-common/bug22.c
Commit message (Collapse)AuthorAgeFilesLines
* Remove most vfprintf width/precision-dependent allocations (bug 14231, bug ↵Joseph Myers2020-07-071-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 26211). The vfprintf implementation (used for all printf-family functions) contains complicated logic to allocate internal buffers of a size depending on the width and precision used for a format, using either malloc or alloca depending on that size, and with consequent checks for size overflow and allocation failure. As noted in bug 26211, the version of that logic used when '$' plus argument number formats are in use is missing the overflow checks, which can result in segfaults (quite possibly exploitable, I didn't try to work that out) when the width or precision is in the range 0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the wprintf case on 32-bit systems, when the multiplication by sizeof (CHAR_T) can overflow). All that complicated logic in fact appears to be useless. As far as I can tell, there has been no need (outside the floating-point printf code, which does its own allocations) for allocations depending on width or precision since commit 3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus, this patch removes that logic completely, thereby fixing both problems with excessive allocations for large width and precision for non-floating-point formats, and the problem with missing overflow checks with such allocations. Note that this does have the consequence that width and precision up to INT_MAX are now allowed where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have been rejected, so could potentially expose any other overflows where the value would previously have been rejected by those removed checks. I believe this completely fixes bugs 14231 and 26211. Excessive allocations are still possible in the floating-point case (bug 21127), as are other integer or buffer overflows (see bug 26201). This does not address the cases where a precision larger than INT_MAX (embedded in the format string) would be meaningful without printf's return value overflowing (when it's used with a string format, or %g without the '#' flag, so the actual output will be much smaller), as mentioned in bug 17829 comment 8; using size_t internally for precision to handle that case would be complicated by struct printf_info being a public ABI. Nor does it address the matter of an INT_MIN width being negated (bug 17829 comment 7; the same logic appears a second time in the file as well, in the form of multiplying by -1). There may be other sources of memory allocations with malloc in printf functions as well (bug 24988, bug 16060). From inspection, I think there are also integer overflows in two copies of "if ((width -= len) < 0)" logic (where width is int, len is size_t and a very long string could result in spurious padding being output on a 32-bit system before printf overflows the count of output characters). Tested for x86-64 and x86.
* Disable -Wformat-overflow= warnings for some printf tests.Joseph Myers2018-11-011-0/+22
| | | | | | | | | | | | | | | | | | Recent GCC -Wformat-overflow= changes result in some printf tests failing to build, because those tests are deliberately testing the handling of formats writing more than INT_MAX characters and the handling of NULL arguments to the %s format, which GCC now warns about. This patch duly disables -Wformat-overflow= for the relevant calls to printf functions. Tested with build-many-glibcs.py with GCC mainline for aarch64-linux-gnu. * stdio-common/bug22.c: Include <libc-diag.h>. (do_test): Disable -Wformat-overflow= warnings around fprintf calls outputting more than INT_MAX characters. * stdio-common/tst-printf.c: Disable -Wformat-overflow= warnings around printf call with NULL %s argument.
* Bump up stdio bug22 timeout from 30 seconds to 60 secondsChris Metcalf2012-05-171-1/+1
| | | | | The older Tilera platform (tilepro) needs just a hair over 30 seconds to run this on one core.
* Tighten up vfprintf width, precision, and total length overflow handling.David S. Miller2012-04-021-2/+26
| | | | | | | | | | | | | | | | With help from Paul Eggert, Carlos O'Donell, and Roland McGrath. * stdio-common/printf-parse.h (read_int): Change return type to 'int', return -1 on INT_MAX overflow. * stdio-common/vfprintf.c (vfprintf): Validate width and precision against overflow of INT_MAX. Set errno to EOVERFLOW when 'done' overflows INT_MAX. Check for overflow of in-format-string precision values properly. Use EOVERFLOW rather than ERANGE throughout. Use SIZE_MAX not INT_MAX for integer overflow test. * stdio-common/printf-parsemb.c: If read_int signals an overflow, skip the construct in the format string but do not record anything. * stdio-common/bug22.c: Adjust to test both width/prevision INT_MAX overflow as well as total length INT_MAX overflow. Check explicitly for proper errno values.
* [BZ #5424, BZ #5428, BZ #5451]Ulrich Drepper2007-12-101-0/+32
2007-12-08 Ulrich Drepper <drepper@redhat.com> [BZ #5424] * stdio-common/vfprintf.c: Do not overflow when adding to done. * stdio-common/Makefile (tests): Add bug22. * stdio-common/bug22.c: New file. [BZ #5451] * time/getdate.c: Fix filling in default values. * time/bug-getdate1.c: New file. * time/Makefile: Add rules to build and run bug-getdate1. * iconvdata/ebcdic-is-friss.c: Use 8bit-gap instead of 8bit-generic. * iconvdata/ebcdic-es.c: Likewise. * iconvdata/ebcdic-es-a.c: Likewise. * iconvdata/ebcdic-uk.c: Likewise. * iconvdata/iso8859-16.c: Likewise. * iconvdata/viscii.c: Likewise. * iconvdata/iso8859-9e.c: Likewise. * iconvdata/Makefile: Adjust appropriately. [BZ #5428] * wcsmbs/wchar.h: Unconditionally undefine __need_mbstate and __need_wint_t. * iconvdata/gconv-modules: Likewise.