Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sun, 3 Dec 2023 11:28:43 -0500
From: Morten Welinder <mwelinder@...il.com>
To: musl@...ts.openwall.com
Subject: stdio/vfprintf.c

Looking at https://git.musl-libc.org/cgit/musl/tree/src/stdio/vfprintf.c
I see a few issues:


1. If "i=-1" in getint on line 424 is reached and there are more
digits then the next overflow check will itself overflow in
"INT_MAX-10*i"

2. The getint call on line 504 doesn't check for overflow.  If it did,
getint could just return -1 right away on overflow.

3. The "w=-w;" on line 488 doesn't check for overflow which will
happen for INT_MIN.

4. The length calculation for "%s" on line 600 implies that strings
longer than 2G cannot be printed.  It looks deliberate, but is it
reasonable?

5. And speaking of plain "%s" with no width or precision, why is the
string length even calculated first?  Walking the string twice seems
inefficient.

6. This comment and check seems out of date:
/* This error is only specified for snprintf, but since it's
* unspecified for other forms, do the same. Stop immediately
* on overflow; otherwise %n could produce wrong results. */
if (l > INT_MAX - cnt) goto overflow;

Since %n allows size modifiers it can already produce wrong results.
Right right place to check would be at %n handling.


M.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.