From owner-freebsd-audit  Tue Dec 19  6:35:11 2000
From owner-freebsd-audit@FreeBSD.ORG  Tue Dec 19 06:35:09 2000
Return-Path: <owner-freebsd-audit@FreeBSD.ORG>
Delivered-To: freebsd-audit@freebsd.org
Received: from scientia.demon.co.uk (scientia.demon.co.uk [212.228.14.13])
	by hub.freebsd.org (Postfix) with ESMTP id 8578337B400
	for <audit@freebsd.org>; Tue, 19 Dec 2000 06:35:08 -0800 (PST)
Received: from strontium.scientia.demon.co.uk ([192.168.91.36] ident=root)
	by scientia.demon.co.uk with esmtp (Exim 3.169 #1)
	id 148Nr9-0004HL-00 for audit@FreeBSD.org;
	Tue, 19 Dec 2000 14:35:07 +0000
Received: (from ben@localhost)
	by strontium.scientia.demon.co.uk (8.11.1/8.11.1) id eBJEZ7748511
	for audit@FreeBSD.org; Tue, 19 Dec 2000 14:35:07 GMT
	(envelope-from ben)
Date: Tue, 19 Dec 2000 14:35:06 +0000
From: Ben Smithurst <ben@FreeBSD.org>
To: audit@FreeBSD.org
Subject: printf(1) broken for some long format strings
Message-ID: <20001219143506.C78749@strontium.scientia.demon.co.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
Sender: ben@scientia.demon.co.uk
Sender: owner-freebsd-audit@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

[previously posted to -developers; posted to -audit too at Will Andrews'
suggestion.]

printf(1) is broken for some long format strings, like

printf "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%d\n" 1

for a sufficiently large number of X's.  Does anyone have any objections
to this fix?

thanks.

Index: printf.c
===================================================================
RCS file: /usr/cvs/src/usr.bin/printf/printf.c,v
retrieving revision 1.15
diff -u -r1.15 printf.c
--- printf.c	2000/09/04 06:11:25	1.15
+++ printf.c	2000/12/19 02:17:18
@@ -247,12 +247,18 @@
 	char *str;
 	int ch;
 {
-	static char copy[64];
+	static char *copy = NULL;
+	static size_t copy_size = 0;
+	char *newcopy;
 	int len;
 
 	len = strlen(str) + 2;
-	if (len > sizeof copy)
-		return NULL;
+	if (len > copy_size) {
+		if ((newcopy = realloc(copy, len)) == NULL)
+			return NULL;
+		copy = newcopy;
+		copy_size = len;
+	}
 
 	memmove(copy, str, len - 3);
 	copy[len - 3] = 'q';
-- 
Ben Smithurst / ben@FreeBSD.org / PGP: 0x99392F7D


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message