Date: Thu, 14 Dec 2000 07:20:05 -0800 (PST) From: Peter Pentchev <roam@orbitel.bg> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/23521: NULL pointer write in vfprintf code Message-ID: <200012141520.eBEFK5s87505@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/23521; it has been noted by GNATS. From: Peter Pentchev <roam@orbitel.bg> To: luddes@hotmail.com Cc: freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/23521: NULL pointer write in vfprintf code Date: Thu, 14 Dec 2000 17:16:05 +0200 On Wed, Dec 13, 2000 at 05:19:51AM -0800, luddes@hotmail.com wrote: > > >Number: 23521 > >Category: misc > >Synopsis: NULL pointer write in vfprintf code > >Originator: Ludde > >Release: 4.1.1 > >Environment: > FreeBSD matchbox.dumle.nu 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE #3: Wed Dec 6 19:34:33 CET 2000 root@matchbox.dumle.nu:/usr/src/sys/compile/MATCHBOX i386 > >Description: > This code crashes because of a NULL pointer write inside the vfprintf code. > It should print the 8th argument as an integer. > printf("%8$d", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); > > GDB output: > 0x280d49e0 in vfprintf () from /usr/lib/libc.so.4 > (gdb) x/i $eip > 0x280d49e0 <vfprintf+10028>: mov %eax,(%edx) > (gdb) info reg edx > edx 0x0 0 > >How-To-Repeat: > Compile a C program with this contents: > int main() { > printf("%8$d", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); > } > and run it > >Fix: > Perhaps the memory allocation failure is at: > if (tablemax >= STATIC_ARG_TBL_SIZE) { > *argtable = (void **) > malloc (sizeof (void *) * (tablemax + 1)); > } For the record, I can 'reliably' duplicate this. It always happens on %8$ or above; up to 7 works fine. The following test program: #include <stdio.h> int main(void) { printf("%5$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14); printf("%6$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14); printf("%7$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14); printf("%8$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14); /* notreached :( */ return 0; } ..produces the following result: [roam@ringworld:v4 ~/c/misc/foo]$ ./foo 5 6 7 Segmentation fault (core dumped) [roam@ringworld:v4 ~/c/misc/foo]$ ..no matter what combination of -g*, -O* and -f* options I compile it with. I've tested this on RELENG_4 and -current, both as of Dec 11, and the result was identical. G'luck, Peter -- What would this sentence be like if pi were 3? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012141520.eBEFK5s87505>