Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 18 Jun 2001 12:36:32 +1000 (EST)
From:      Bruce Evans <bde@zeta.org.au>
To:        Assar Westerlund <assar@FreeBSD.org>
Cc:        cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   Re: cvs commit: src/lib/libc/stdio snprintf.c sprintf.c vsnprintf.c vsprintf.c
Message-ID:  <Pine.BSF.4.21.0106181133090.5233-100000@besplex.bde.org>
In-Reply-To: <200106160537.f5G5bxQ23545@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
>   Modified files:
>     lib/libc/stdio       snprintf.c sprintf.c vsnprintf.c 
>                          vsprintf.c 
>   Log:
>   free memory that gets allocated by vfprintf when str == NULL
>   
>   PR:		misc/26044
>   
>   MFC after:	1 week
>   
>   Revision  Changes    Path
>   1.14      +3 -1      src/lib/libc/stdio/snprintf.c
>   1.8       +3 -1      src/lib/libc/stdio/sprintf.c
>   1.14      +3 -1      src/lib/libc/stdio/vsnprintf.c
>   1.8       +3 -1      src/lib/libc/stdio/vsprintf.c

This is bogus for sprintf and vsprintf, and for snprintf and vsnprintf
with a nonzero buffer size, since str == NULL is an application error
in these cases.  The error should cause a core dump when the null
"string" is written to, but this doesn't happen because the allocated
buffer gets written to instead.

Untested patch to prevent the bogus allocation:

Index: local.h
===================================================================
RCS file: /home/ncvs/src/lib/libc/stdio/local.h,v
retrieving revision 1.4
diff -c -2 -r1.4 local.h
*** local.h	2001/06/04 12:36:06	1.4
--- local.h	2001/06/18 02:32:32
***************
*** 82,86 ****
   */
  #define	cantwrite(fp) \
! 	((((fp)->_flags & __SWR) == 0 || (fp)->_bf._base == NULL) && \
  	 __swsetup(fp))
  
--- 82,87 ----
   */
  #define	cantwrite(fp) \
! 	((((fp)->_flags & __SWR) == 0 || \
! 	    ((fp)->_bf._base == NULL && ((fp)->_flags & __SSTR) == 0)) && \
  	 __swsetup(fp))
  
I don't like doing extra work to support undefined behaviour, but the
allocation is also bogus for snprintf() with a buffer size of 0.

Bruce


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0106181133090.5233-100000>