GNU bug report logs -
#8683
printf out-of-bounds memory access
Previous Next
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 8683 in the body.
You can then email your comments to 8683 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#8683; Package
coreutils.
(Tue, 17 May 2011 15:32:02 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Paul Marinescu <paul.marinescu <at> imperial.ac.uk>:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org.
(Tue, 17 May 2011 15:32:02 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
In coreutils 8.12 (latest), printf can make an out-of-bounds access when
an integer argument consists only of a single or double quote.
The printf spec mentions that an integer argument consisting of a
single/double quote followed by a character is interpreted as the ASCII
value of that character. However, when the quote is alone, the code in
the STRTOX macro (printf.c:171) goes beyond the buffer associated with
the argument.
Possible fix: report an error at printf.c:166 if ch is 0.
Paul
Information forwarded
to
owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#8683; Package
coreutils.
(Tue, 17 May 2011 15:57:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 8683 <at> debbugs.gnu.org (full text, mbox):
On 17/05/11 16:31, Paul Marinescu wrote:
> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
> an integer argument consists only of a single or double quote.
>
> The printf spec mentions that an integer argument consisting of a
> single/double quote followed by a character is interpreted as the ASCII
> value of that character. However, when the quote is alone, the code in
> the STRTOX macro (printf.c:171) goes beyond the buffer associated with
> the argument.
>
> Possible fix: report an error at printf.c:166 if ch is 0.
Good catch!
We'll apply something like the following which results in:
$ ./printf "%d\n" '"a"'
./printf: warning: ": character(s) following character constant have been ignored
97
$ ./printf "%d\n" '"a'
97
$ ./printf "%d\n" '"'
./printf: ": expected a numeric value
0
$ ./printf "%d\n" 'a'
./printf: a: expected a numeric value
0
cheers,
Pádraig.
diff --git a/src/printf.c b/src/printf.c
index e05947c..22a85e7 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s) \
char *end; \
TYPE val; \
\
- if (*s == '\"' || *s == '\'') \
+ if ((*s == '\"' || *s == '\'') && *(s+1)) \
{ \
unsigned char ch = *++s; \
val = ch; \
Reply sent
to
Pádraig Brady <P <at> draigBrady.com>:
You have taken responsibility.
(Tue, 17 May 2011 23:58:01 GMT)
Full text and
rfc822 format available.
Notification sent
to
Paul Marinescu <paul.marinescu <at> imperial.ac.uk>:
bug acknowledged by developer.
(Tue, 17 May 2011 23:58:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 8683-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On 17/05/11 16:54, Pádraig Brady wrote:
> On 17/05/11 16:31, Paul Marinescu wrote:
>> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
>> an integer argument consists only of a single or double quote.
I'll apply the attached fix soon.
thanks again,
Pádraig.
[printf-oob.diff (text/x-patch, attachment)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 15 Jun 2011 11:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 14 years and 11 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.