From unknown Mon Aug 11 21:13:00 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#75900 <75900@debbugs.gnu.org> To: bug#75900 <75900@debbugs.gnu.org> Subject: Status: doprnt.c buffer overflow Reply-To: bug#75900 <75900@debbugs.gnu.org> Date: Tue, 12 Aug 2025 04:13:00 +0000 retitle 75900 doprnt.c buffer overflow reassign 75900 emacs submitter 75900 Pip Cet severity 75900 normal thanks From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 27 14:13:31 2025 Received: (at submit) by debbugs.gnu.org; 27 Jan 2025 19:13:31 +0000 Received: from localhost ([127.0.0.1]:34484 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tcUY6-0003XL-Jc for submit@debbugs.gnu.org; Mon, 27 Jan 2025 14:13:31 -0500 Received: from lists.gnu.org ([2001:470:142::17]:60420) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tcUY4-0003X8-6e for submit@debbugs.gnu.org; Mon, 27 Jan 2025 14:13:28 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tcUXy-0005sN-L7 for bug-gnu-emacs@gnu.org; Mon, 27 Jan 2025 14:13:22 -0500 Received: from mail-4316.protonmail.ch ([185.70.43.16]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tcUXw-0006uL-FB for bug-gnu-emacs@gnu.org; Mon, 27 Jan 2025 14:13:22 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1738005196; x=1738264396; bh=Qoj7JANsGs1716YdM0P2XJMO4iZPrj2nr2CWQmHBPEU=; h=Date:To:From:Subject:Message-ID:Feedback-ID:From:To:Cc:Date: Subject:Reply-To:Feedback-ID:Message-ID:BIMI-Selector: List-Unsubscribe:List-Unsubscribe-Post; b=wBgH1nS9JQNAO+NMvfOYIxcZh2XYO2qxuIrdpCbPtOaUzlTGLyrzqfE2jc+xE7lwB i1VXu6peOUisqqOTu2IC1i3nHQxnNYhnBTay5gfTbVdU7A/WmRbyaHzd/w5EYzKEcM ooqeoCqKRL8aBuyhAmoX22uyn9O2gDynR5MzQUv9h8pkGbSSEjC5WPvQY5UWHHC8ui 0HVvvfeZa7OsAUzw8RlEXxncIALWJxyIdIZZFQOjsBnm5BbaGCVTnzjqjuoq4uQOxJ 9J4xrML/VUfsX/l5jUs06gIlqdIVOZuXWCuhFgX/Ue+fTVxHWDcrd6PNd9nObjzPD2 k5zHNHvte+5cQ== Date: Mon, 27 Jan 2025 19:13:09 +0000 To: bug-gnu-emacs@gnu.org, Paul Eggert From: Pip Cet Subject: doprnt.c buffer overflow Message-ID: <87wmegul3g.fsf@protonmail.com> Feedback-ID: 112775352:user:proton X-Pm-Message-ID: 9f54465c10064669c7b4e24fe8728ad1fe09ed57 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.43.16; envelope-from=pipcet@protonmail.com; helo=mail-4316.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) doprnt sometimes overflows its buffer, causing stack smashing and (if we're lucky) a glibc abort when make_formatted_string calls it: (gdb) p make_formatted_string ("0123456789012345678901234567890123456789012345678901234567890123456789012= 3456789)0123456789)01234567890123456789012345678901234567890123456789") [Thread 0x7fffda9ff6c0 (LWP 20144) exited] *** stack smashing detected ***: terminated The reason is that in doprnt, the variable bufsize indicates the number of remaining bytes in the buf, and bufptr points to the current byte in the buf, but sometimes a byte is written and bufsize is not updated: else if (! LEADING_CODE_P (fmtchar)) =09{ =09 if (EQ (quoting_style, Qstraight) && fmtchar =3D=3D '`') =09 fmtchar =3D '\''; =09 *bufptr++ =3D fmtchar; =09 continue; =09} and =09{ =09 do =09 *bufptr++ =3D *src++; =09 while (--srclen !=3D 0); =09} do this. In the former case, we must update bufsize as it will be used again. In the latter case, it's sufficient to set it to 0 as this is the last successful printing operation in this call. A related issue is that if a multibyte character produced by a %s format option would overflow the buffer, doprnt returns the buffer size minus one, as expected, but hasn't actually modified all of the buffer data: the final bytes will refer to uninitialized stack data. For example, on my system, where FRAME_MESSAGE_BUF_SIZE (f) is 832, this call: (gdb) p message ("%s%s", "xxxx", SDATA(Fmake_string (0x8aa, 0x10002, Qt))) will print the string "xxxx=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80^@Z" where the last characters are an ASCII NUL followed by a 'Z' (which I put in the buffer after it was SAFE_ALLOCA'd). The 'Z' should have been overwritten, in which case message would still have printed two unintended NUL characters. I intend to fix the first two bugs, and fix message in a somewhat ugly way for the other two. Patches to follow once there is a bug number. Pip From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 27 15:36:53 2025 Received: (at submit) by debbugs.gnu.org; 27 Jan 2025 20:36:53 +0000 Received: from localhost ([127.0.0.1]:34604 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tcVqm-0007HH-Sd for submit@debbugs.gnu.org; Mon, 27 Jan 2025 15:36:53 -0500 Received: from lists.gnu.org ([2001:470:142::17]:42522) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tcVqk-0007Gy-9d for submit@debbugs.gnu.org; Mon, 27 Jan 2025 15:36:50 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tcVqb-0002Rp-QV for bug-gnu-emacs@gnu.org; Mon, 27 Jan 2025 15:36:42 -0500 Received: from mail-4322.protonmail.ch ([185.70.43.22]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tcVqZ-0003sr-K2 for bug-gnu-emacs@gnu.org; Mon, 27 Jan 2025 15:36:41 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=protonmail.com; s=protonmail3; t=1738010195; x=1738269395; bh=BW6GMQq6MtQRkSB6fuBY1o6SsHH7zJ3ffcgytOClmFE=; h=Date:To:From:Cc:Subject:Message-ID:In-Reply-To:References: Feedback-ID:From:To:Cc:Date:Subject:Reply-To:Feedback-ID: Message-ID:BIMI-Selector:List-Unsubscribe:List-Unsubscribe-Post; b=lrSePAezutQU32d7o6hHQks39f85R/GPfUDuMLU690kzGW0A5DJ2wbCO1y/TPagKH Al3COoxrE2LRHyGSEIV5+db3jMMwlPvHUzGHX13plw/+NQx/gWt5bhsMz9h3qMyjsP GzHvjQM8j0GXrZ8g1y9WMTraCdlB78TBca1JipXyrMTFNkpqqMC2FfOwbPWtRiTz9w I5wm71CmMzApohwBFbnAKvGLza2OJ4Mxb5RtxWEJu6S3EqRH8jXyHgt75KhmUP9Aci BcGI5Xar9Du+bFm2m6ZMXf8gZIBwdBHaZII7F1mgYsXKRbS7GcijFc+AQNOGsc4GG6 rH+GCX5Forw8w== Date: Mon, 27 Jan 2025 20:36:28 +0000 To: bug-gnu-emacs@gnu.org From: Pip Cet Subject: Re: doprnt.c buffer overflow Message-ID: <87bjvsuh8m.fsf@protonmail.com> In-Reply-To: <87wmegul3g.fsf@protonmail.com> References: <87wmegul3g.fsf@protonmail.com> Feedback-ID: 112775352:user:proton X-Pm-Message-ID: 518b9d5321a0e35dc138e00c1b7bc02646f8e831 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Received-SPF: pass client-ip=185.70.43.22; envelope-from=pipcet@protonmail.com; helo=mail-4322.protonmail.ch X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_CERTIFIED_BLOCKED=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 1.0 (+) X-Debbugs-Envelope-To: submit Cc: Paul Eggert X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -0.0 (/) "Pip Cet" writes: > doprnt sometimes overflows its buffer, causing stack smashing and (if > we're lucky) a glibc abort when make_formatted_string calls it: > > (gdb) p make_formatted_string > ("01234567890123456789012345678901234567890123456789012345678901234567890= 123456789)0123456789)01234567890123456789012345678901234567890123456789") > [Thread 0x7fffda9ff6c0 (LWP 20144) exited] > *** stack smashing detected ***: terminated > > The reason is that in doprnt, the variable bufsize indicates the number > of remaining bytes in the buf, and bufptr points to the current byte in > the buf, but sometimes a byte is written and bufsize is not updated: > > else if (! LEADING_CODE_P (fmtchar)) > =09{ > =09 if (EQ (quoting_style, Qstraight) && fmtchar =3D=3D '`') > =09 fmtchar =3D '\''; > > =09 *bufptr++ =3D fmtchar; > =09 continue; > =09} > > and > > =09{ > =09 do > =09 *bufptr++ =3D *src++; > =09 while (--srclen !=3D 0); > =09} > > do this. In the former case, we must update bufsize as it will be used > again. In the latter case, it's sufficient to set it to 0 as this is > the last successful printing operation in this call. > > A related issue is that if a multibyte character produced by a %s format > option would overflow the buffer, doprnt returns the buffer size minus > one, as expected, but hasn't actually modified all of the buffer data: > the final bytes will refer to uninitialized stack data. > > For example, on my system, where FRAME_MESSAGE_BUF_SIZE (f) is 832, this > call: > > (gdb) p message ("%s%s", "xxxx", SDATA(Fmake_string (0x8aa, 0x10002, Qt))= ) > > will print the string > > "xxxx=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80=E4=80=80= =E4=80=80=E4=80=80=E4=80=80=E4=80=80^@Z" > > where the last characters are an ASCII NUL followed by a 'Z' (which I > put in the buffer after it was SAFE_ALLOCA'd). The 'Z' should have been > overwritten, in which case message would still have printed two > unintended NUL characters. > > I intend to fix the first two bugs, and fix message in a somewhat ugly > way for the other two. > > Patches to follow once there is a bug number. The first patch fixes doprnt by avoiding buffer overflows and clearing the rest of the buffer even when the first character not to fit there was multibyte. >From 49e1cc9ae476663cb1ddf6106f7a6f64cd558208 Mon Sep 17 00:00:00 2001 From: Pip Cet Subject: [PATCH 1/2] Fix buffer overflows in doprnt (bug#75900) * src/doprnt.c (doprnt): Clear rest of buffer on multibyte overflow. Always decrement bufsize when writing a byte. --- src/doprnt.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/doprnt.c b/src/doprnt.c index 335223f972a..d4b2d95fdc1 100644 --- a/src/doprnt.c +++ b/src/doprnt.c @@ -446,7 +446,8 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *fo= rmat, =09=09 while (tem !=3D 0); =20 =09=09 memcpy (bufptr, string, tem); -=09=09 bufptr[tem] =3D 0; +=09=09 while (tem < bufsize) +=09=09 bufptr[tem++] =3D 0; =09=09 /* Trigger exit from the loop, but make sure we =09=09 return to the caller a value which will indicate =09=09 that the buffer was too small. */ @@ -498,6 +499,7 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *fo= rmat, =09 fmtchar =3D '\''; =20 =09 *bufptr++ =3D fmtchar; +=09 bufsize--; =09 continue; =09} else @@ -523,7 +525,10 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *f= ormat, else =09{ =09 do -=09 *bufptr++ =3D *src++; +=09 { +=09 *bufptr++ =3D *src++; +=09 bufsize--; +=09 } =09 while (--srclen !=3D 0); =09} } --=20 2.47.1 The second patch fixes interactive vmessage to deal with doprnt's peculiar behavior when a multibyte character doesn't fit in the buffer: doprnt returns bufsize - 1, even though there are fewer valid bytes in the buffer. Note that the previous allocation of the stack buffer was overly generous, except in the very unlikely case that FRAME_MESSAGE_BUF_SIZE returns 0. >From c62aed0270390d19bba251f356f406963c89baf5 Mon Sep 17 00:00:00 2001 From: Pip Cet Subject: [PATCH 2/2] Avoid printing NUL characters in 'message' (bug#75900) * src/xdisp.c (vmessage): Increase buffer size to fit an extra multibyte character. On buffer overflow, drop the last multibyte character to determine an accurate byte length. --- src/xdisp.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/xdisp.c b/src/xdisp.c index 5b5cb3849fc..4933315166f 100644 --- a/src/xdisp.c +++ b/src/xdisp.c @@ -12587,10 +12587,19 @@ vmessage (const char *m, va_list ap) =09 ptrdiff_t len; =09 ptrdiff_t maxsize =3D FRAME_MESSAGE_BUF_SIZE (f); =09 USE_SAFE_ALLOCA; -=09 char *message_buf =3D SAFE_ALLOCA (maxsize + 1); - -=09 len =3D doprnt (message_buf, maxsize, m, 0, ap); +=09 char *message_buf =3D SAFE_ALLOCA (maxsize + MAX_MULTIBYTE_LENGTH= ); =20 +=09 len =3D doprnt (message_buf, maxsize + MAX_MULTIBYTE_LENGTH, m, 0= , ap); +=09 /* doprnt returns the buffer size minus one when it +=09=09 truncated a multibyte sequence. Work around that by +=09=09 truncating to the last valid multibyte head. */ +=09 if (len >=3D maxsize) +=09=09{ +=09=09 len =3D maxsize - 1; +=09=09 while (!CHAR_HEAD_P (message_buf[len])) +=09=09 len--; +=09=09 message_buf[len] =3D 0; +=09=09} =09 message3 (make_string (message_buf, len)); =09 SAFE_FREE (); =09 } --=20 2.47.1 Pip From debbugs-submit-bounces@debbugs.gnu.org Mon Jan 27 20:21:56 2025 Received: (at 75900-done) by debbugs.gnu.org; 28 Jan 2025 01:21:56 +0000 Received: from localhost ([127.0.0.1]:34937 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tcaIe-000607-D7 for submit@debbugs.gnu.org; Mon, 27 Jan 2025 20:21:56 -0500 Received: from mail.cs.ucla.edu ([131.179.128.66]:35904) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tcaIb-0005zp-1J for 75900-done@debbugs.gnu.org; Mon, 27 Jan 2025 20:21:53 -0500 Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id A201D3C011BC5; Mon, 27 Jan 2025 17:21:46 -0800 (PST) Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10032) with ESMTP id hSYiM7J2Rd0h; Mon, 27 Jan 2025 17:21:46 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by mail.cs.ucla.edu (Postfix) with ESMTP id 69DB13C011BD7; Mon, 27 Jan 2025 17:21:46 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.10.3 mail.cs.ucla.edu 69DB13C011BD7 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.ucla.edu; s=9D0B346E-2AEB-11ED-9476-E14B719DCE6C; t=1738027306; bh=9AnEZfjZKQqxYvycEr7hfPqBuJJVru8VaoUbQjq9r20=; h=Message-ID:Date:MIME-Version:To:From; b=dh/nmN2gjNAqG8aZvkW9v9tuS2Sz2R7vh/ybaxmwpo/MFmjjP7fguXShSnYXnT2yO lOdIFLI4WGJg7GQwPEYF1GAGlq1cKNE/taMD8xU7DOstkUQ4gQgjPkCmzBU105/KOm mWzvqLtUh5GQXPPnYTM8cZ7bQOQHczK6N+ULNBkyTGEQRFSUaz90V3l+LY7PI4ykMu xrC1gEfxRFOXOft8WrWr0A5tCR4qiza0X46WTJ9dc/l/RlkQChMr4Yj71c1+zfI7vY jkqJN07UbZnU0OpZdkfauaMkBL4spihQTDFuMMGbh749VacYDzurL+/ArnJcxkQikR ACYubUeMDNR3A== X-Virus-Scanned: amavis at mail.cs.ucla.edu Received: from mail.cs.ucla.edu ([127.0.0.1]) by localhost (mail.cs.ucla.edu [127.0.0.1]) (amavis, port 10026) with ESMTP id lJ_E6NKcOcK1; Mon, 27 Jan 2025 17:21:46 -0800 (PST) Received: from [131.179.64.200] (Penguin.CS.UCLA.EDU [131.179.64.200]) by mail.cs.ucla.edu (Postfix) with ESMTPSA id 450253C011BC5; Mon, 27 Jan 2025 17:21:46 -0800 (PST) Message-ID: Date: Mon, 27 Jan 2025 17:21:46 -0800 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: doprnt.c buffer overflow To: Pip Cet References: <87wmegul3g.fsf@protonmail.com> <87bjvsuh8m.fsf@protonmail.com> Content-Language: en-US From: Paul Eggert Autocrypt: addr=eggert@cs.ucla.edu; keydata= xsFNBEyAcmQBEADAAyH2xoTu7ppG5D3a8FMZEon74dCvc4+q1XA2J2tBy2pwaTqfhpxxdGA9 Jj50UJ3PD4bSUEgN8tLZ0san47l5XTAFLi2456ciSl5m8sKaHlGdt9XmAAtmXqeZVIYX/UFS 96fDzf4xhEmm/y7LbYEPQdUdxu47xA5KhTYp5bltF3WYDz1Ygd7gx07Auwp7iw7eNvnoDTAl KAl8KYDZzbDNCQGEbpY3efZIvPdeI+FWQN4W+kghy+P6au6PrIIhYraeua7XDdb2LS1en3Ss mE3QjqfRqI/A2ue8JMwsvXe/WK38Ezs6x74iTaqI3AFH6ilAhDqpMnd/msSESNFt76DiO1ZK QMr9amVPknjfPmJISqdhgB1DlEdw34sROf6V8mZw0xfqT6PKE46LcFefzs0kbg4GORf8vjG2 Sf1tk5eU8MBiyN/bZ03bKNjNYMpODDQQwuP84kYLkX2wBxxMAhBxwbDVZudzxDZJ1C2VXujC OJVxq2kljBM9ETYuUGqd75AW2LXrLw6+MuIsHFAYAgRr7+KcwDgBAfwhPBYX34nSSiHlmLC+ KaHLeCLF5ZI2vKm3HEeCTtlOg7xZEONgwzL+fdKo+D6SoC8RRxJKs8a3sVfI4t6CnrQzvJbB n6gxdgCu5i29J1QCYrCYvql2UyFPAK+do99/1jOXT4m2836j1wARAQABzSBQYXVsIEVnZ2Vy dCA8ZWdnZXJ0QGNzLnVjbGEuZWR1PsLBlQQTAQgAPwIbAwYLCQgHAwIGFQgCCQoLBBYCAwEC HgECF4AWIQR+N5Kp2Kz31jO8FYjtl+kOYqp+NAUCZiLOewUJHWQLDAAKCRDtl+kOYqp+NHGE D/9Wmbk+cAaQsYLPGBvyzIjZIRzo/V2p3ZwckVA1VEQivx5azu1cs86qDoVIe45AtwmKOvdV wTQd/QeglkZR6D2YPW7UR/7emajyJZZcy+etVTDKoaw1i6/hmd/CpGjUeUSvgoPs6nYR+1lo pSXTpaGrh1W0qQHalSkOOwCHG3HtGk9Ve2AERDUYxmcn8/eZHb7xpUJEJMBBI1bx/zcw1EtB rjsQ1R1faJ/r/7LPAyV36RLvnbX69PylHKQEbJoaY9aUb2Vpm63ni3FeTA7/3jpPvaSRWHJh vPYx6Fm2Ln8pI0Yf/W2B8QMiPTnF/LnH2kvUcf9VXm+1mQJ3fBFU25HZwBhuqZ24IeKymPEt BUMQAum97Dto0jSgR2OUvX7z+twhpQEgRGBzPHYwDi4SxF5Z4Q5Y7B7a++HP9tIxG6CVFIwI 4xVaZud18bPa0YBL+cISmMgxq7h7yoVXl6u3pm9Yiv+W6Lp9QGN8Rw1VuJMOoFCYuoxG8mXO TA5b1jvlQ32gHFFhqErDAhNJRsfgrpe9Gok4Ycp+rWljbvS5Wrl0uth5MP7FbaHN2kmTZibq KXAd//IqczhDyU6qnW6ao+h4iDBDgYgRbQjmToX/vmIdEMzvPGqWXKhe/q1TYMuOO+IfP+bI fyPFH29nVN/o9c4J7myeKvv3HKSXdSVjlh2V787BTQRMgHJkARAApoXrvxP3DIfjCNOtXU/P dwMShKdX/RlSs5PfunV1wbKP8herXHrvQdFVqECaTSxmlhzbk8X0PkY9gcVaU2O49T3qsOd1 cHeF52YFGEt0LhsBeMjgNX5uZ1V76r8gyeVlFpWWb0SIwJUBHrDXexF67upeRb2vdHBjYDNe ySn+0B7gFEqvVmZu+LadudDp6kQLjatFvHQHUSGNshBnkkcaTbiI9Pst0GCc2aiznBiPPA2W QxAPlPRh3OGTsn5THADmbjqY6FEMLasVX8DSCblMvLwNeO/8SxziBidhqLpJCqdQRWHku5Xx gIkGeKOz5OLDvXHWJyafrEYjjkS6Ak6B5z6svKliClWnjHQcjlPzyoFFgKTEfcqDxCj4RY0D 0DgtFD0NfyeOidrSB/SzTe2hwryQE3rpSiqo+0cGdzh4yAHKYJ+UrXZ4p93ZhjGfKD1xlrNY DlWyW9PGmbvqFuDmiIAQf9WD/wzEfICc+F+uDDI+uYkRxUFp92ykmdhDEFg1yjYsU8iGU69a Hyvhq36z4zctvbqhRNzOWB1bVJ/dIMDvsExGcXQVDIT7sDNXv0wE3jKSKpp7NDG1oXUXL+2+ SF99Kjy753AbQSAmH617fyBNwhJWvQYg+mUvPpiGOtses9EXUI3lS4v0MEaPG43flEs1UR+1 rpFQWVHo1y1OO+sAEQEAAcLBfAQYAQgAJgIbDBYhBH43kqnYrPfWM7wViO2X6Q5iqn40BQJm Is58BQkdZAsMAAoJEO2X6Q5iqn40Q68QAJ9GubS/ej30Vc4idoZdc0IyMcL7kQJbMohF+Tyn ZE+TGn9WvzP10yLyzoI0vNlcNfP92d2MS//pFjOuANb5mwyiEYA+rDZIdS4ZZpHxCs2sxMC4 afLCf3kv4aMnTeBvb9na403dlczz9cAacvsmniSFdpb1+BzMpYbybglU5oYMGhYT2nnCRjXN 6S2nKYt4mjJeeOuxHrdeqQQdVBNYeNfTcPePeqvZ2+bD6u9yxZtaV+wxdpqglosQvjqhOYz7 h50/ZTSq70/npoCq44TzdJKttaYvlW6ziRz0g4RRAqZyoxjYXiy5qj8r8zXJuB11ApZCGuKn /usbji9RYbflAhxFeh4LMmpDVi6BrF30b73Md59K7PuEKN1NxzlWiqqQHZZ9momN0GXLPcGq 4uyfq7yVEy7wP5PMOh6oqscKklE3gFQtq0P1Ki0xqdF6Fq5LPJc+0Db2CYkVIy7Xaa/f74I3 sOfQfEeDylVXR5iDfUJEYv/0DYhOr7q5/0b1kh3M4wkrB4C5jVNHjIIj+RsAK90c3t38OhAl jiSN7Bkwy24Afy8eIu6wWzvhnsQGpZPB+IffmxT1wkTy8UxZKjUWV0C82iphVgCUUi2f9sDV Q/tNcwVWmOS+gdv9Wk6tdGeM+Ee+Qs6YG05jcSoajzF0TL07ajLcayRq2j1Os2CtQ8qu Organization: UCLA Computer Science Department In-Reply-To: <87bjvsuh8m.fsf@protonmail.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -0.0 (/) X-Debbugs-Envelope-To: 75900-done Cc: 75900-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Thanks, I installed those along with some related fixups. From unknown Mon Aug 11 21:13:00 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 25 Feb 2025 12:24:05 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator