[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANv4PNmKT-VpPYvcN+7SUGnYxTLir=0z4+Z1NvKWAULT9PdSDg@mail.gmail.com>
Date: Sun, 3 Dec 2023 11:28:43 -0500
From: Morten Welinder <mwelinder@...il.com>
To: musl@...ts.openwall.com
Subject: stdio/vfprintf.c
Looking at https://git.musl-libc.org/cgit/musl/tree/src/stdio/vfprintf.c
I see a few issues:
1. If "i=-1" in getint on line 424 is reached and there are more
digits then the next overflow check will itself overflow in
"INT_MAX-10*i"
2. The getint call on line 504 doesn't check for overflow. If it did,
getint could just return -1 right away on overflow.
3. The "w=-w;" on line 488 doesn't check for overflow which will
happen for INT_MIN.
4. The length calculation for "%s" on line 600 implies that strings
longer than 2G cannot be printed. It looks deliberate, but is it
reasonable?
5. And speaking of plain "%s" with no width or precision, why is the
string length even calculated first? Walking the string twice seems
inefficient.
6. This comment and check seems out of date:
/* This error is only specified for snprintf, but since it's
* unspecified for other forms, do the same. Stop immediately
* on overflow; otherwise %n could produce wrong results. */
if (l > INT_MAX - cnt) goto overflow;
Since %n allows size modifiers it can already produce wrong results.
Right right place to check would be at %n handling.
M.
Powered by blists - more mailing lists
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
