| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A recent GCC mainline change introduces errors of the form:
vfprintf-internal.c: In function 'group_number':
vfprintf-internal.c:2093:15: error: 'memmove' specified bound between 9223372036854775808 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=]
2093 | memmove (w, s, (front_ptr -s) * sizeof (CHAR_T));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This is a genuine bug in the glibc code: s > front_ptr is always true
at this point in the code, and the intent is clearly for the
subtraction to be the other way round. The other arguments to the
memmove call here also appear to be wrong; w and s point just *after*
the destination and source for copying the rest of the number, so the
size needs to be subtracted to get appropriate pointers for the
copying. Adjust the memmove call to conform to the apparent intent of
the code, so fixing the -Wstringop-overflow error.
Now, if the original code were ever executed, a buffer overrun would
result. However, I believe this code (introduced in commit
edc1686af0c0fc2eb535f1d38cdf63c1a5a03675, "vfprintf: Reuse work_buffer
in group_number", so in glibc 2.26) is unreachable in prior glibc
releases (so there is no need for a bug in Bugzilla, no need to
consider any backports unless someone wants to build older glibc
releases with GCC 12 and no possibility of this buffer overrun
resulting in a security issue).
work_buffer is 1000 bytes / 250 wide characters. This case is only
reachable if an initial part of the number, plus a grouped copy of the
rest of the number, fail to fit in that space; that is, if the grouped
number fails to fit in the space. In the wide character case,
grouping is always one wide character, so even with a locale (of which
there aren't any in glibc) grouping every digit, a number would need
to occupy at least 125 wide characters to overflow, and a 64-bit
integer occupies at most 23 characters in octal including a leading 0.
In the narrow character case, the multibyte encoding of the grouping
separator would need to be at least 42 bytes to overflow, again
supposing grouping every digit, but MB_LEN_MAX is 16. So even if we
admit the case of artificially constructed locales not shipped with
glibc, given that such a locale would need to use one of the character
sets supported by glibc, this code cannot be reached at present. (And
POSIX only actually specifies the ' flag for grouping for decimal
output, though glibc acts on it for other bases as well.)
With binary output (if you consider use of grouping there to be
valid), you'd need a 15-byte multibyte character for overflow; I don't
know if any supported character set has such a character (if, again,
we admit constructed locales using grouping every digit and a grouping
separator chosen to have a multibyte encoding as long as possible, as
well as accepting use of grouping with binary), but given that we have
this code at all (clearly it's not *correct*, or in accordance with
the principle of avoiding arbitrary limits, to skip grouping on
running out of internal space like that), I don't think it should need
any further changes for binary printf support to go in.
On the other hand, support for large sizes of _BitInt in printf (see
the N2858 proposal) *would* require something to be done about such
arbitrary limits (presumably using dynamic allocation in printf again,
for sufficiently large _BitInt arguments only - currently only
floating-point uses dynamic allocation, and, as previously discussed,
that could actually be replaced by bounded allocation given smarter
code).
Tested with build-many-glibcs.py for aarch64-linux-gnu (GCC mainline).
Also tested natively for x86_64.
(cherry picked from commit db6c4935fae6005d46af413b32aa92f4f6059dce)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
26211).
The vfprintf implementation (used for all printf-family functions)
contains complicated logic to allocate internal buffers of a size
depending on the width and precision used for a format, using either
malloc or alloca depending on that size, and with consequent checks
for size overflow and allocation failure.
As noted in bug 26211, the version of that logic used when '$' plus
argument number formats are in use is missing the overflow checks,
which can result in segfaults (quite possibly exploitable, I didn't
try to work that out) when the width or precision is in the range
0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the
wprintf case on 32-bit systems, when the multiplication by sizeof
(CHAR_T) can overflow).
All that complicated logic in fact appears to be useless. As far as I
can tell, there has been no need (outside the floating-point printf
code, which does its own allocations) for allocations depending on
width or precision since commit
3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size
of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus,
this patch removes that logic completely, thereby fixing both problems
with excessive allocations for large width and precision for
non-floating-point formats, and the problem with missing overflow
checks with such allocations. Note that this does have the
consequence that width and precision up to INT_MAX are now allowed
where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have
been rejected, so could potentially expose any other overflows where
the value would previously have been rejected by those removed checks.
I believe this completely fixes bugs 14231 and 26211.
Excessive allocations are still possible in the floating-point case
(bug 21127), as are other integer or buffer overflows (see bug 26201).
This does not address the cases where a precision larger than INT_MAX
(embedded in the format string) would be meaningful without printf's
return value overflowing (when it's used with a string format, or %g
without the '#' flag, so the actual output will be much smaller), as
mentioned in bug 17829 comment 8; using size_t internally for
precision to handle that case would be complicated by struct
printf_info being a public ABI. Nor does it address the matter of an
INT_MIN width being negated (bug 17829 comment 7; the same logic
appears a second time in the file as well, in the form of multiplying
by -1). There may be other sources of memory allocations with malloc
in printf functions as well (bug 24988, bug 16060). From inspection,
I think there are also integer overflows in two copies of "if ((width
-= len) < 0)" logic (where width is int, len is size_t and a very long
string could result in spurious padding being output on a 32-bit
system before printf overflows the count of output characters).
Tested for x86-64 and x86.
(cherry picked from commit 6caddd34bd7ffb5ac4f36c8e036eee100c2cc535)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an updated version of a previous patch [1] with the
following changes:
- Use compiler overflow builtins on done_add_func function.
- Define the scratch +utstring_converted_wide_string using
CHAR_T.
- Added a testcase and mention the bug report.
Both default and wide printf functions might leak memory when
manipulate multibyte characters conversion depending of the size
of the input (whether __libc_use_alloca trigger or not the fallback
heap allocation).
This patch fixes it by removing the extra memory allocation on
string formatting with conversion parts.
The testcase uses input argument size that trigger memory leaks
on unpatched code (using a scratch buffer the threashold to use
heap allocation is lower).
Checked on x86_64-linux-gnu and i686-linux-gnu.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
[1] https://sourceware.org/pipermail/libc-alpha/2017-June/082098.html
(cherry picked from commit 3cc4a8367c23582b7db14cf4e150e4068b7fd461)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch eliminates a number of #if 0 and #ifdef TODO blocks, macros
that are never used, macros that provide portability to substrates that
lack basic things like EINVAL and off_t, and other such debris.
I preserved IO_DEBUG and CHECK_FILE, even though as far as I can tell
IO_DEBUG is never defined and therefore CHECK_FILE never does
anything, because it seems like we might actually want to turn it _on_.
Installed stripped libraries and executables are unchanged, except,
again, that the line number of an assertion changes (this time it's
somewhere in fileops.c).
* libio/libio.h (_IO_pos_BAD, _IO_pos_0, _IO_pos_adjust):
Define here, unconditionally.
* libio/iolibio.h (_IO_pos_BAD): Don't define here.
* libio/libioP.h: Remove #if 0 blocks.
(_IO_pos_BAD, _IO_pos_0, _IO_pos_adjust): Don't define here.
(_IO_va_start, COERCE_FILE, MAYBE_SET_EINVAL): Don't define.
(CHECK_FILE): Don't use MAYBE_SET_EINVAL or COERCE_FILE. Fix style.
* libio/clearerr.c, libio/fputc.c, libio/getchar.c:
Assume weak_alias is always defined.
* libio/fileops.c, libio/genops.c, libio/oldfileops.c
* libio/oldpclose.c, libio/pclose.c, libio/wfileops.c:
Remove #if 0 and #ifdef TODO blocks.
Assume text_set_element is always defined.
* libio/iofdopen.c, libio/iogetdelim.c, libio/oldiofdopen.c
Use __set_errno (EINVAL) instead of MAYBE_SET_EINVAL.
* libio/tst-mmap-eofsync.c: Make #if 1 block unconditional.
|
| |
|
|
|
|
|
|
|
|
| |
This entirely mechanical (except for some indentation fixups) patch
replaces all uses of _IO_file_flags with _flags and removes the #define.
Installed stripped libraries and executables are unchanged by this patch.
* libio/libio.h (_IO_file_flags): Remove macro.
All uses changed to _flags.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch mechanically removes all remaining uses, and the
definitions, of the following libio name aliases:
name replaced with
---- -------------
_IO_FILE FILE
_IO_fpos_t __fpos_t
_IO_fpos64_t __fpos64_t
_IO_size_t size_t
_IO_ssize_t ssize_t or __ssize_t
_IO_off_t off_t
_IO_off64_t off64_t
_IO_pid_t pid_t
_IO_uid_t uid_t
_IO_wint_t wint_t
_IO_va_list va_list or __gnuc_va_list
_IO_BUFSIZ BUFSIZ
_IO_cookie_io_functions_t cookie_io_functions_t
__io_read_fn cookie_read_function_t
__io_write_fn cookie_write_function_t
__io_seek_fn cookie_seek_function_t
__io_close_fn cookie_close_function_t
I used __fpos_t and __fpos64_t instead of fpos_t and fpos64_t because
the definitions of fpos_t and fpos64_t depend on the largefile mode.
I used __ssize_t and __gnuc_va_list in a handful of headers where
namespace cleanliness might be relevant even though they're
internal-use-only. In all other cases, I used the public-namespace
name.
There are a tiny handful of places where I left a use of 'struct _IO_FILE'
alone, because it was being used together with 'struct _IO_FILE_plus'
or 'struct _IO_FILE_complete' in the same arithmetic expression.
Because this patch was almost entirely done with search and replace, I
may have introduced indentation botches. I did proofread the diff,
but I may have missed something.
The ChangeLog below calls out all of the places where this was not a
pure search-and-replace change.
Installed stripped libraries and executables are unchanged by this patch,
except that some assertions in vfscanf.c change line numbers.
* libio/libio.h (_IO_FILE): Delete; all uses changed to FILE.
(_IO_fpos_t): Delete; all uses changed to __fpos_t.
(_IO_fpos64_t): Delete; all uses changed to __fpos64_t.
(_IO_size_t): Delete; all uses changed to size_t.
(_IO_ssize_t): Delete; all uses changed to ssize_t or __ssize_t.
(_IO_off_t): Delete; all uses changed to off_t.
(_IO_off64_t): Delete; all uses changed to off64_t.
(_IO_pid_t): Delete; all uses changed to pid_t.
(_IO_uid_t): Delete; all uses changed to uid_t.
(_IO_wint_t): Delete; all uses changed to wint_t.
(_IO_va_list): Delete; all uses changed to va_list or __gnuc_va_list.
(_IO_BUFSIZ): Delete; all uses changed to BUFSIZ.
(_IO_cookie_io_functions_t): Delete; all uses changed to
cookie_io_functions_t.
(__io_read_fn): Delete; all uses changed to cookie_read_function_t.
(__io_write_fn): Delete; all uses changed to cookie_write_function_t.
(__io_seek_fn): Delete; all uses changed to cookie_seek_function_t.
(__io_close_fn): Delete: all uses changed to cookie_close_function_t.
* libio/iofopncook.c: Remove unnecessary forward declarations.
* libio/iolibio.h: Correct outdated commentary.
* malloc/malloc.c (__malloc_stats): Remove unnecessary casts.
* stdio-common/fxprintf.c (__fxprintf_nocancel):
Remove unnecessary casts.
* stdio-common/getline.c: Use _IO_getdelim directly.
Don't redefine ssize_t.
* stdio-common/printf_fp.c, stdio_common/printf_fphex.c
* stdio-common/printf_size.c: Don't redefine size_t or FILE.
Remove outdated comments.
* stdio-common/vfscanf.c: Don't redefine va_list.
|
| |
|
|
|
|
|
|
| |
Two files in stdio-common were unnecessarily redefining some standard
symbols as their _IO_ aliases.
* stdio-common/vfprintf.c: Don't redefine FILE, va_list, or BUFSIZ.
* stdio-common/tstgetln.c: Don't redefine ssize_t.
|
| |
|
|
|
|
|
| |
* All files with FSF copyright notices: Update copyright dates
using scripts/update-copyrights.
* locale/programs/charmap-kw.h: Regenerated.
* locale/programs/locfile-kw.h: Likewise.
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add strfromf128 to stdlib when _Float128 support is enabled.
* stdio-common/printf-parsemb.c (__parse_one_specmb): Initialize
spec->info.is_binary128 to zero.
* stdio-common/printf.h (printf_info): Add new member is_binary128
to indicate that the number being converted to string is compatible
with the IEC 60559 binary128 format.
* stdio-common/printf_fp.c (__printf_fp_l): Add code to deal with
_Float128 numbers.
* stdio-common/printf_fphex.c: Include ieee754_float128.h and
ldbl-128/printf_fphex_macros.h
(__printf_fphex): Add code to deal with _Float128 numbers.
* stdio-common/printf_size.c (__printf_size): Likewise.
* stdio-common/vfprintf.c (process_arg): Initialize member
info.is_binary128 to zero.
* stdlib/fpioconst.h (FLT128_MAX_10_EXP_LOG): New macro.
* stdlib/stdlib.h: Include bits/floatn.h for _Float128 support.
(strfromf128): New declaration.
* stdlib/strfrom-skeleton.c (STRFROM): Set member info.is_binary128
to one.
* sysdeps/ieee754/float128/Makefile: Add strfromf128.
* sysdeps/ieee754/float128/Versions: Likewise.
* sysdeps/ieee754/float128/strfromf128.c: New file.
|
| |
|
|
|
|
|
| |
The magic number 32 is used everywhere as extra size to
use when doing certain operations. This commit refactors
that into a macro so you can change this value if you're
debugging something in a local build.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit puts all libio vtables in a dedicated, read-only ELF
section, so that they are consecutive in memory. Before any indirect
jump, the vtable pointer is checked against the section boundaries,
and the process is terminated if the vtable pointer does not fall into
the special ELF section.
To enable backwards compatibility, a special flag variable
(_IO_accept_foreign_vtables), protected by the pointer guard, avoids
process termination if libio stream object constructor functions have
been called earlier. Such constructor functions are called by the GCC
2.95 libstdc++ library, and this mechanism ensures compatibility with
old binaries. Existing callers inside glibc of these functions are
adjusted to call the original functions, not the wrappers which enable
vtable compatiblity.
The compatibility mechanism is used to enable passing FILE * objects
across a static dlopen boundary, too.
|
| |
|
|
| |
Free a previously allocated work buffer if it is not large enough.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It was noted in
<https://sourceware.org/ml/libc-alpha/2012-09/msg00305.html> that the
bits/*.h naming scheme should only be used for installed headers.
This patch renames bits/libc-lock.h to plain libc-lock.h and
bits/libc-lockP.h to plain libc-lockP.h to follow that convention.
Note that I don't know where libc-lockP.h comes from for Hurd (the
Hurd libc-lock.h includes libc-lockP.h, but the only libc-lockP.h in
the glibc source tree is for NPTL) - some unmerged patch? - but I
updated the #include in the Hurd libc-lock.h anyway.
Tested for x86_64 (testsuite, and that installed stripped shared
libraries are unchanged by the patch).
[BZ #14912]
* bits/libc-lock.h: Move to ...
* sysdeps/generic/libc-lock.h: ...here.
(_BITS_LIBC_LOCK_H): Rename macro to _LIBC_LOCK_H.
* sysdeps/mach/hurd/bits/libc-lock.h: Move to ...
* sysdeps/mach/hurd/libc-lock.h: ...here.
(_BITS_LIBC_LOCK_H): Rename macro to _LIBC_LOCK_H.
[_LIBC]: Include <libc-lockP.h> instead of <bits/libc-lockP.h>.
* sysdeps/mach/bits/libc-lock.h: Move to ...
* sysdeps/mach/libc-lock.h: ...here.
(_BITS_LIBC_LOCK_H): Rename macro to _LIBC_LOCK_H.
* sysdeps/nptl/bits/libc-lock.h: Move to ...
* sysdeps/nptl/libc-lock.h: ...here.
(_BITS_LIBC_LOCK_H): Rename macro to _LIBC_LOCK_H.
* sysdeps/nptl/bits/libc-lockP.h: Move to ...
* sysdeps/nptl/libc-lockP.h: ...here.
(_BITS_LIBC_LOCKP_H): Rename macro to _LIBC_LOCKP_H.
* crypt/crypt_util.c: Include <libc-lock.h> instead of
<bits/libc-lock.h>.
* dirent/scandir-tail.c: Likewise.
* dlfcn/dlerror.c: Likewise.
* elf/dl-close.c: Likewise.
* elf/dl-iteratephdr.c: Likewise.
* elf/dl-lookup.c: Likewise.
* elf/dl-open.c: Likewise.
* elf/dl-support.c: Likewise.
* elf/dl-writev.h: Likewise.
* elf/rtld.c: Likewise.
* grp/fgetgrent.c: Likewise.
* gshadow/fgetsgent.c: Likewise.
* gshadow/sgetsgent.c: Likewise.
* iconv/gconv_conf.c: Likewise.
* iconv/gconv_db.c: Likewise.
* iconv/gconv_dl.c: Likewise.
* iconv/gconv_int.h: Likewise.
* iconv/gconv_trans.c: Likewise.
* include/link.h: Likewise.
* inet/getnameinfo.c: Likewise.
* inet/getnetgrent.c: Likewise.
* inet/getnetgrent_r.c: Likewise.
* intl/bindtextdom.c: Likewise.
* intl/dcigettext.c: Likewise.
* intl/finddomain.c: Likewise.
* intl/gettextP.h: Likewise.
* intl/loadmsgcat.c: Likewise.
* intl/localealias.c: Likewise.
* intl/textdomain.c: Likewise.
* libidn/idn-stub.c: Likewise.
* libio/libioP.h: Likewise.
* locale/duplocale.c: Likewise.
* locale/freelocale.c: Likewise.
* locale/newlocale.c: Likewise.
* locale/setlocale.c: Likewise.
* login/getutent_r.c: Likewise.
* login/getutid_r.c: Likewise.
* login/getutline_r.c: Likewise.
* login/utmp-private.h: Likewise.
* login/utmpname.c: Likewise.
* malloc/mtrace.c: Likewise.
* misc/efgcvt.c: Likewise.
* misc/error.c: Likewise.
* misc/fstab.c: Likewise.
* misc/getpass.c: Likewise.
* misc/mntent.c: Likewise.
* misc/syslog.c: Likewise.
* nis/nis_call.c: Likewise.
* nis/nis_callback.c: Likewise.
* nis/nss-default.c: Likewise.
* nis/nss_compat/compat-grp.c: Likewise.
* nis/nss_compat/compat-initgroups.c: Likewise.
* nis/nss_compat/compat-pwd.c: Likewise.
* nis/nss_compat/compat-spwd.c: Likewise.
* nis/nss_nis/nis-alias.c: Likewise.
* nis/nss_nis/nis-ethers.c: Likewise.
* nis/nss_nis/nis-grp.c: Likewise.
* nis/nss_nis/nis-hosts.c: Likewise.
* nis/nss_nis/nis-network.c: Likewise.
* nis/nss_nis/nis-proto.c: Likewise.
* nis/nss_nis/nis-pwd.c: Likewise.
* nis/nss_nis/nis-rpc.c: Likewise.
* nis/nss_nis/nis-service.c: Likewise.
* nis/nss_nis/nis-spwd.c: Likewise.
* nis/nss_nisplus/nisplus-alias.c: Likewise.
* nis/nss_nisplus/nisplus-ethers.c: Likewise.
* nis/nss_nisplus/nisplus-grp.c: Likewise.
* nis/nss_nisplus/nisplus-hosts.c: Likewise.
* nis/nss_nisplus/nisplus-initgroups.c: Likewise.
* nis/nss_nisplus/nisplus-network.c: Likewise.
* nis/nss_nisplus/nisplus-proto.c: Likewise.
* nis/nss_nisplus/nisplus-pwd.c: Likewise.
* nis/nss_nisplus/nisplus-rpc.c: Likewise.
* nis/nss_nisplus/nisplus-service.c: Likewise.
* nis/nss_nisplus/nisplus-spwd.c: Likewise.
* nis/ypclnt.c: Likewise.
* nptl/libc_pthread_init.c: Likewise.
* nss/getXXbyYY.c: Likewise.
* nss/getXXent.c: Likewise.
* nss/getXXent_r.c: Likewise.
* nss/nss_db/db-XXX.c: Likewise.
* nss/nss_db/db-netgrp.c: Likewise.
* nss/nss_db/nss_db.h: Likewise.
* nss/nss_files/files-XXX.c: Likewise.
* nss/nss_files/files-alias.c: Likewise.
* nss/nsswitch.c: Likewise.
* posix/regex_internal.h: Likewise.
* posix/wordexp.c: Likewise.
* pwd/fgetpwent.c: Likewise.
* resolv/res_hconf.c: Likewise.
* resolv/res_libc.c: Likewise.
* shadow/fgetspent.c: Likewise.
* shadow/lckpwdf.c: Likewise.
* shadow/sgetspent.c: Likewise.
* socket/opensock.c: Likewise.
* stdio-common/reg-modifier.c: Likewise.
* stdio-common/reg-printf.c: Likewise.
* stdio-common/reg-type.c: Likewise.
* stdio-common/vfprintf.c: Likewise.
* stdio-common/vfscanf.c: Likewise.
* stdlib/abort.c: Likewise.
* stdlib/cxa_atexit.c: Likewise.
* stdlib/fmtmsg.c: Likewise.
* stdlib/random.c: Likewise.
* stdlib/setenv.c: Likewise.
* string/strsignal.c: Likewise.
* sunrpc/auth_none.c: Likewise.
* sunrpc/bindrsvprt.c: Likewise.
* sunrpc/create_xid.c: Likewise.
* sunrpc/key_call.c: Likewise.
* sunrpc/rpc_thread.c: Likewise.
* sysdeps/arm/backtrace.c: Likewise.
* sysdeps/generic/ldsodefs.h: Likewise.
* sysdeps/generic/stdio-lock.h: Likewise.
* sysdeps/generic/unwind-dw2-fde.c: Likewise.
* sysdeps/i386/backtrace.c: Likewise.
* sysdeps/ieee754/ldbl-opt/nldbl-compat.c: Likewise.
* sysdeps/m68k/backtrace.c: Likewise.
* sysdeps/mach/hurd/cthreads.c: Likewise.
* sysdeps/mach/hurd/dirstream.h: Likewise.
* sysdeps/mach/hurd/malloc-machine.h: Likewise.
* sysdeps/nptl/malloc-machine.h: Likewise.
* sysdeps/nptl/stdio-lock.h: Likewise.
* sysdeps/posix/dirstream.h: Likewise.
* sysdeps/posix/getaddrinfo.c: Likewise.
* sysdeps/posix/system.c: Likewise.
* sysdeps/pthread/aio_suspend.c: Likewise.
* sysdeps/s390/s390-32/backtrace.c: Likewise.
* sysdeps/s390/s390-64/backtrace.c: Likewise.
* sysdeps/unix/sysv/linux/check_pf.c: Likewise.
* sysdeps/unix/sysv/linux/if_index.c: Likewise.
* sysdeps/unix/sysv/linux/s390/s390-32/getutent_r.c: Likewise.
* sysdeps/unix/sysv/linux/s390/s390-32/getutid_r.c: Likewise.
* sysdeps/unix/sysv/linux/s390/s390-32/getutline_r.c: Likewise.
* sysdeps/unix/sysv/linux/shm-directory.c: Likewise.
* sysdeps/unix/sysv/linux/system.c: Likewise.
* sysdeps/x86_64/backtrace.c: Likewise.
* time/alt_digit.c: Likewise.
* time/era.c: Likewise.
* time/tzset.c: Likewise.
* wcsmbs/wcsmbsload.c: Likewise.
* nptl/tst-initializers1.c (do_test): Refer to <libc-lock.h>
instead of <bits/libc-lock.h> in comment.
|
| |
|
|
|
| |
Different labels are no longer needed because the tables are now in
separate functions.
|
| |
|
|
|
|
| |
This splits a considerable chunk of code from the main vfprintf
function. This will make it easier to remove the use of extend_alloca
from the positional argument handling code.
|
| |
|
|
|
| |
The second jump table will be moved to a separate function
in the next commit.
|
| |
|
|
|
| |
This constant will allow us to refer to the number of elements in
work_buffer across a function call boundary.
|
| |
|
|
|
| |
This makes the offset handling more explicit and avoids
cross-references between the jump tables.
|
| |
|
|
| |
This avoids preprocessor conditionals in function declarations.
|
| | |
|
| |
|
|
|
|
| |
A larger number of format specifiers coudld cause a stack overflow,
potentially allowing to bypass _FORTIFY_SOURCE format string
protection.
|
| | |
|
| |
|
|
| |
This reverts commit f7efd7c3dfffa3c417e9d3c4cb19d9954a3b1421.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
ChangeLog:
2014-03-17 Will Newton <will.newton@linaro.org>
* libio/genops.c: Check whether
_IO_JUMPS_OFFSET is defined with #ifdef rather
than #if.
* libio/libioP.h: Likewise.
* stdio-common/vfprintf.c: Likewise.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Partially revert commits 2b766585f9b4ffabeef2f36200c275976b93f2c7 and
de2fd463b1c0310d75084b6d774fb974075a4ad9, which were intended to fix BZ#11741
but caused another, likely worse bug, namely that fwrite() and fputs() could,
in an error path, read data beyond the end of the specified buffer, and
potentially even write this data to the file.
Fix BZ#11741 properly by checking the return value from _IO_padn() in
stdio-common/vfprintf.c.
|
| | |
|
| | |
|
| |
|
|
| |
call free(NULL).
|
| | |
|
| | |
|
| |
|
|
|
|
| |
[BZ #11741]
Fixed bug where printf and family may return a spurious success when
printing padded formats.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
[BZ #6530]
* stdio-common/vfprintf.c (process_string_arg): Revert
2000-07-22 change.
2011-09-28 Jonathan Nieder <jrnieder@gmail.com>
* stdio-common/Makefile (tst-sprintf-ENV): Set environment
for testcase.
* stdio-common/tst-sprintf.c: Include <locale.h>
(main): Test sprintf's handling of incomplete multibyte
characters.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With help from Paul Eggert, Carlos O'Donell, and Roland McGrath.
* stdio-common/printf-parse.h (read_int): Change return type to
'int', return -1 on INT_MAX overflow.
* stdio-common/vfprintf.c (vfprintf): Validate width and precision
against overflow of INT_MAX. Set errno to EOVERFLOW when 'done'
overflows INT_MAX. Check for overflow of in-format-string precision
values properly. Use EOVERFLOW rather than ERANGE throughout. Use
SIZE_MAX not INT_MAX for integer overflow test.
* stdio-common/printf-parsemb.c: If read_int signals an overflow,
skip the construct in the format string but do not record anything.
* stdio-common/bug22.c: Adjust to test both width/prevision
INT_MAX overflow as well as total length INT_MAX overflow. Check
explicitly for proper errno values.
|
| | |
|
| | |
|
| |
|
|
| |
* stdio-common/vfprintf.c (vfprintf): add missing errno settings.
|
| |
|
|
|
|
|
|
| |
[BZ #13656]
* stdio-common/vfprintf.c (vfprintf): Check for nargs overflow and
possibly allocate from heap instead of stack.
* stdio-common/bug-vfprintf-nargs.c: New file.
* stdio-common/Makefile (tests): Add nargs overflow test.
|
