Date: Thu, 14 Dec 2000 07:20:05 -0800 (PST) From: Peter Pentchev <roam@orbitel.bg> To: freebsd-bugs@FreeBSD.org Subject: Re: misc/23521: NULL pointer write in vfprintf code Message-ID: <200012141520.eBEFK5s87505@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
The following reply was made to PR misc/23521; it has been noted by GNATS.
From: Peter Pentchev <roam@orbitel.bg>
To: luddes@hotmail.com
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/23521: NULL pointer write in vfprintf code
Date: Thu, 14 Dec 2000 17:16:05 +0200
On Wed, Dec 13, 2000 at 05:19:51AM -0800, luddes@hotmail.com wrote:
>
> >Number: 23521
> >Category: misc
> >Synopsis: NULL pointer write in vfprintf code
> >Originator: Ludde
> >Release: 4.1.1
> >Environment:
> FreeBSD matchbox.dumle.nu 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE #3: Wed Dec 6 19:34:33 CET 2000 root@matchbox.dumle.nu:/usr/src/sys/compile/MATCHBOX i386
> >Description:
> This code crashes because of a NULL pointer write inside the vfprintf code.
> It should print the 8th argument as an integer.
> printf("%8$d", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
>
> GDB output:
> 0x280d49e0 in vfprintf () from /usr/lib/libc.so.4
> (gdb) x/i $eip
> 0x280d49e0 <vfprintf+10028>: mov %eax,(%edx)
> (gdb) info reg edx
> edx 0x0 0
> >How-To-Repeat:
> Compile a C program with this contents:
> int main() {
> printf("%8$d", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
> }
> and run it
> >Fix:
> Perhaps the memory allocation failure is at:
> if (tablemax >= STATIC_ARG_TBL_SIZE) {
> *argtable = (void **)
> malloc (sizeof (void *) * (tablemax + 1));
> }
For the record, I can 'reliably' duplicate this. It always happens on
%8$ or above; up to 7 works fine. The following test program:
#include <stdio.h>
int main(void) {
printf("%5$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14);
printf("%6$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14);
printf("%7$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14);
printf("%8$d\n", 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14);
/* notreached :( */
return 0;
}
..produces the following result:
[roam@ringworld:v4 ~/c/misc/foo]$ ./foo
5
6
7
Segmentation fault (core dumped)
[roam@ringworld:v4 ~/c/misc/foo]$
..no matter what combination of -g*, -O* and -f* options I compile it with.
I've tested this on RELENG_4 and -current, both as of Dec 11, and the result
was identical.
G'luck,
Peter
--
What would this sentence be like if pi were 3?
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012141520.eBEFK5s87505>