From owner-svn-src-all@FreeBSD.ORG Sat Apr 21 06:10:19 2012 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 678F4106567B; Sat, 21 Apr 2012 06:10:19 +0000 (UTC) (envelope-from das@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 4952D8FC15; Sat, 21 Apr 2012 06:10:19 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id q3L6AJAb074537; Sat, 21 Apr 2012 06:10:19 GMT (envelope-from das@svn.freebsd.org) Received: (from das@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id q3L6AJbx074531; Sat, 21 Apr 2012 06:10:19 GMT (envelope-from das@svn.freebsd.org) Message-Id: <201204210610.q3L6AJbx074531@svn.freebsd.org> From: David Schultz Date: Sat, 21 Apr 2012 06:10:19 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r234531 - head/lib/libc/stdio X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Apr 2012 06:10:19 -0000 Author: das Date: Sat Apr 21 06:10:18 2012 New Revision: 234531 URL: http://svn.freebsd.org/changeset/base/234531 Log: If the size passed to {,v}s{w,n}printf is larger than INT_MAX+1 (i.e., the return value would overflow), set errno to EOVERFLOW and return an error. This improves the chances that buggy applications -- for instance, ones that pass in a negative integer as the size due to a bogus calculation -- will fail in safe ways. Returning an error in these situations is specified by POSIX, but POSIX appears to have an off-by-one error that isn't duplicated in this change. Previously, some of these functions would silently cap the size at INT_MAX+1, and others would exit with an error after writing more than INT_MAX characters. PR: 39256 MFC after: 2 weeks Modified: head/lib/libc/stdio/snprintf.c head/lib/libc/stdio/vfprintf.c head/lib/libc/stdio/vfwprintf.c head/lib/libc/stdio/vsnprintf.c head/lib/libc/stdio/vswprintf.c Modified: head/lib/libc/stdio/snprintf.c ============================================================================== --- head/lib/libc/stdio/snprintf.c Sat Apr 21 06:09:09 2012 (r234530) +++ head/lib/libc/stdio/snprintf.c Sat Apr 21 06:10:18 2012 (r234531) @@ -41,6 +41,7 @@ static char sccsid[] = "@(#)snprintf.c 8 #include __FBSDID("$FreeBSD$"); +#include #include #include #include @@ -59,8 +60,11 @@ snprintf(char * __restrict str, size_t n on = n; if (n != 0) n--; - if (n > INT_MAX) - n = INT_MAX; + if (n > INT_MAX) { + errno = EOVERFLOW; + *str = '\0'; + return (EOF); + } va_start(ap, fmt); f._flags = __SWR | __SSTR; f._bf._base = f._p = (unsigned char *)str; @@ -84,8 +88,11 @@ snprintf_l(char * __restrict str, size_t on = n; if (n != 0) n--; - if (n > INT_MAX) - n = INT_MAX; + if (n > INT_MAX) { + errno = EOVERFLOW; + *str = '\0'; + return (EOF); + } va_start(ap, fmt); f._flags = __SWR | __SSTR; f._bf._base = f._p = (unsigned char *)str; Modified: head/lib/libc/stdio/vfprintf.c ============================================================================== --- head/lib/libc/stdio/vfprintf.c Sat Apr 21 06:09:09 2012 (r234530) +++ head/lib/libc/stdio/vfprintf.c Sat Apr 21 06:10:18 2012 (r234531) @@ -51,6 +51,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -480,6 +481,7 @@ __vfprintf(FILE *fp, locale_t locale, co if ((n = fmt - cp) != 0) { if ((unsigned)ret + n > INT_MAX) { ret = EOF; + errno = EOVERFLOW; goto error; } PRINT(cp, n); @@ -935,6 +937,7 @@ number: if ((dprec = prec) >= 0) prsize = width > realsz ? width : realsz; if ((unsigned)ret + prsize > INT_MAX) { ret = EOF; + errno = EOVERFLOW; goto error; } Modified: head/lib/libc/stdio/vfwprintf.c ============================================================================== --- head/lib/libc/stdio/vfwprintf.c Sat Apr 21 06:09:09 2012 (r234530) +++ head/lib/libc/stdio/vfwprintf.c Sat Apr 21 06:10:18 2012 (r234531) @@ -54,6 +54,7 @@ __FBSDID("$FreeBSD$"); #include #include +#include #include #include #include @@ -553,6 +554,7 @@ __vfwprintf(FILE *fp, locale_t locale, c if ((n = fmt - cp) != 0) { if ((unsigned)ret + n > INT_MAX) { ret = EOF; + errno = EOVERFLOW; goto error; } PRINT(cp, n); @@ -1003,6 +1005,7 @@ number: if ((dprec = prec) >= 0) prsize = width > realsz ? width : realsz; if ((unsigned)ret + prsize > INT_MAX) { ret = EOF; + errno = EOVERFLOW; goto error; } Modified: head/lib/libc/stdio/vsnprintf.c ============================================================================== --- head/lib/libc/stdio/vsnprintf.c Sat Apr 21 06:09:09 2012 (r234530) +++ head/lib/libc/stdio/vsnprintf.c Sat Apr 21 06:10:18 2012 (r234531) @@ -41,6 +41,7 @@ static char sccsid[] = "@(#)vsnprintf.c #include __FBSDID("$FreeBSD$"); +#include #include #include #include "local.h" @@ -59,8 +60,11 @@ vsnprintf_l(char * __restrict str, size_ on = n; if (n != 0) n--; - if (n > INT_MAX) - n = INT_MAX; + if (n > INT_MAX) { + errno = EOVERFLOW; + *str = '\0'; + return (EOF); + } /* Stdio internals do not deal correctly with zero length buffer */ if (n == 0) { if (on > 0) Modified: head/lib/libc/stdio/vswprintf.c ============================================================================== --- head/lib/libc/stdio/vswprintf.c Sat Apr 21 06:09:09 2012 (r234530) +++ head/lib/libc/stdio/vswprintf.c Sat Apr 21 06:10:18 2012 (r234531) @@ -39,6 +39,7 @@ __FBSDID("FreeBSD: src/lib/libc/stdio/va __FBSDID("$FreeBSD$"); #include +#include #include #include #include @@ -61,6 +62,11 @@ vswprintf_l(wchar_t * __restrict s, size errno = EINVAL; return (-1); } + if (n - 1 > INT_MAX) { + errno = EOVERFLOW; + *s = L'\0'; + return (-1); + } f._flags = __SWR | __SSTR | __SALC; f._bf._base = f._p = (unsigned char *)malloc(128);