From owner-svn-src-head@freebsd.org Wed Sep 2 20:04:27 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 2946B3C8A11; Wed, 2 Sep 2020 20:04:27 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BhZf30Fvlz4CqP; Wed, 2 Sep 2020 20:04:27 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id E01C1FE52; Wed, 2 Sep 2020 20:04:26 +0000 (UTC) (envelope-from jhb@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 082K4QUh074060; Wed, 2 Sep 2020 20:04:26 GMT (envelope-from jhb@FreeBSD.org) Received: (from jhb@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 082K4Q2r074059; Wed, 2 Sep 2020 20:04:26 GMT (envelope-from jhb@FreeBSD.org) Message-Id: <202009022004.082K4Q2r074059@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: jhb set sender to jhb@FreeBSD.org using -f From: John Baldwin Date: Wed, 2 Sep 2020 20:04:26 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r365276 - head/lib/libc/stdlib X-SVN-Group: head X-SVN-Commit-Author: jhb X-SVN-Commit-Paths: head/lib/libc/stdlib X-SVN-Commit-Revision: 365276 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Sep 2020 20:04:27 -0000 Author: jhb Date: Wed Sep 2 20:04:26 2020 New Revision: 365276 URL: https://svnweb.freebsd.org/changeset/base/365276 Log: Compute the correct size of the string to move forward. Previously this was counting the amount of spare room at the start of the buffer that the string needed to move forward and passing that as the number of bytes to copy to memmove rather than the length of the string to be copied. In the strfmon test in the test suite this caused the memmove to overflow the allocated buffer by one byte which CHERI caught. Reported by: CHERI Reviewed by: kevans Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D26280 Modified: head/lib/libc/stdlib/strfmon.c Modified: head/lib/libc/stdlib/strfmon.c ============================================================================== --- head/lib/libc/stdlib/strfmon.c Wed Sep 2 19:59:25 2020 (r365275) +++ head/lib/libc/stdlib/strfmon.c Wed Sep 2 20:04:26 2020 (r365276) @@ -645,7 +645,7 @@ __format_grouped_double(double value, int *flags, memset(bufend, pad_char, padded); } - bufsize = bufsize - (bufend - rslt) + 1; + bufsize = rslt + bufsize - bufend; memmove(rslt, bufend, bufsize); free(avalue); return (rslt);