From owner-cvs-all  Sun Jun 17 19:38:46 2001
Delivered-To: cvs-all@freebsd.org
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3C6DD37B401; Sun, 17 Jun 2001 19:38:23 -0700 (PDT)
	(envelope-from bde@zeta.org.au)
Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102])
	by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id MAA07548;
	Mon, 18 Jun 2001 12:38:20 +1000
Date: Mon, 18 Jun 2001 12:36:32 +1000 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-Sender: bde@besplex.bde.org
To: Assar Westerlund <assar@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/lib/libc/stdio snprintf.c sprintf.c vsnprintf.c
         vsprintf.c
In-Reply-To: <200106160537.f5G5bxQ23545@freefall.freebsd.org>
Message-ID: <Pine.BSF.4.21.0106181133090.5233-100000@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

>   Modified files:
>     lib/libc/stdio       snprintf.c sprintf.c vsnprintf.c 
>                          vsprintf.c 
>   Log:
>   free memory that gets allocated by vfprintf when str == NULL
>   
>   PR:		misc/26044
>   
>   MFC after:	1 week
>   
>   Revision  Changes    Path
>   1.14      +3 -1      src/lib/libc/stdio/snprintf.c
>   1.8       +3 -1      src/lib/libc/stdio/sprintf.c
>   1.14      +3 -1      src/lib/libc/stdio/vsnprintf.c
>   1.8       +3 -1      src/lib/libc/stdio/vsprintf.c

This is bogus for sprintf and vsprintf, and for snprintf and vsnprintf
with a nonzero buffer size, since str == NULL is an application error
in these cases.  The error should cause a core dump when the null
"string" is written to, but this doesn't happen because the allocated
buffer gets written to instead.

Untested patch to prevent the bogus allocation:

Index: local.h
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdio/local.h,v
retrieving revision 1.4
diff -c -2 -r1.4 local.h
*** local.h	2001/06/04 12:36:06	1.4
--- local.h	2001/06/18 02:32:32
***************
*** 82,86 ****
   */
  #define	cantwrite(fp) \
! 	((((fp)->_flags & __SWR) == 0 || (fp)->_bf._base == NULL) && \
  	 __swsetup(fp))
  
--- 82,87 ----
   */
  #define	cantwrite(fp) \
! 	((((fp)->_flags & __SWR) == 0 || \
! 	    ((fp)->_bf._base == NULL && ((fp)->_flags & __SSTR) == 0)) && \
  	 __swsetup(fp))
  
I don't like doing extra work to support undefined behaviour, but the
allocation is also bogus for snprintf() with a buffer size of 0.

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message