From unknown Sun Jun 22 17:11:59 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#8683: printf out-of-bounds memory access
Resent-From: Paul Marinescu <paul.marinescu@imperial.ac.uk>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-To: owner@debbugs.gnu.org
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Tue, 17 May 2011 15:32:02 +0000
Resent-Message-ID: <handler.8683.B.13056463149854@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: report 8683
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: 8683@debbugs.gnu.org
Cc: Cristian Cadar <c.cadar@imperial.ac.uk>
X-Debbugs-Original-To: bug-coreutils@gnu.org
Received: via spool by submit@debbugs.gnu.org id=B.13056463149854
          (code B ref -1); Tue, 17 May 2011 15:32:02 +0000
Received: (at submit) by debbugs.gnu.org; 17 May 2011 15:31:54 +0000
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1QMMFV-0002Ys-QG
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:53 -0400
Received: from eggs.gnu.org ([140.186.70.92])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFT-0002Yg-HF
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFN-0003K6-FO
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:46 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
	autolearn=unavailable version=3.3.1
Received: from lists.gnu.org ([140.186.70.17]:40791)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFN-0003K2-Dl
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:45 -0400
Received: from eggs.gnu.org ([140.186.70.92]:40852)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFM-00074A-J2
	for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFL-0003Jo-Uo
	for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:44 -0400
Received: from smtp1.cc.ic.ac.uk ([155.198.5.155]:41447)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFL-0003Jf-Qq
	for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:43 -0400
Received: from indomitable.doc.ic.ac.uk ([146.169.7.18])
	by smtp1.cc.ic.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72)
	(envelope-from <paul.marinescu@imperial.ac.uk>)
	id 1QMMFI-00076x-Qt; Tue, 17 May 2011 16:31:40 +0100
Message-ID: <4DD294DC.9050006@imperial.ac.uk>
Date: Tue, 17 May 2011 16:31:40 +0100
From: Paul Marinescu <paul.marinescu@imperial.ac.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-IC-MsgID: 1QMMFI-00076x-Qt
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 140.186.70.17
X-Spam-Score: -6.1 (------)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.1 (------)

In coreutils 8.12 (latest), printf can make an out-of-bounds access when 
an integer argument consists only of a single or double quote.

The printf spec mentions that an integer argument consisting of a 
single/double quote followed by a character is interpreted as the ASCII 
value of that character. However, when the quote is alone, the code in 
the STRTOX macro (printf.c:171) goes beyond the buffer associated with 
the argument.

Possible fix: report an error at printf.c:166 if ch is 0.


Paul




From unknown Sun Jun 22 17:11:59 2025
X-Loop: help-debbugs@gnu.org
Subject: bug#8683: printf out-of-bounds memory access
Resent-From: =?UTF-8?Q?P=C3=A1draig?= Brady <P@draigBrady.com>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-To: owner@debbugs.gnu.org
Resent-CC: bug-coreutils@gnu.org
Resent-Date: Tue, 17 May 2011 15:57:02 +0000
Resent-Message-ID: <handler.8683.B8683.130564777611939@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 8683
X-GNU-PR-Package: coreutils
X-GNU-PR-Keywords: 
To: Paul Marinescu <paul.marinescu@imperial.ac.uk>
Cc: 8683@debbugs.gnu.org, Cristian Cadar <c.cadar@imperial.ac.uk>
Received: via spool by 8683-submit@debbugs.gnu.org id=B8683.130564777611939
          (code B ref 8683); Tue, 17 May 2011 15:57:02 +0000
Received: (at 8683) by debbugs.gnu.org; 17 May 2011 15:56:16 +0000
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1QMMd5-00036W-WA
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:56:16 -0400
Received: from mail1.slb.deg.dub.stisp.net ([84.203.253.98])
	by debbugs.gnu.org with smtp (Exim 4.69)
	(envelope-from <P@draigBrady.com>) id 1QMMd3-00036J-VG
	for 8683@debbugs.gnu.org; Tue, 17 May 2011 11:56:14 -0400
Received: (qmail 50903 invoked from network); 17 May 2011 15:56:07 -0000
Received: from unknown (HELO ?192.168.2.25?) (84.203.137.218)
	by mail1.slb.deg.dub.stisp.net with SMTP; 17 May 2011 15:56:07 -0000
Message-ID: <4DD29A3F.6050908@draigBrady.com>
Date: Tue, 17 May 2011 16:54:39 +0100
From: =?UTF-8?Q?P=C3=A1draig?= Brady <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
References: <4DD294DC.9050006@imperial.ac.uk>
In-Reply-To: <4DD294DC.9050006@imperial.ac.uk>
X-Enigmail-Version: 1.0.1
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-Spam-Score: -2.7 (--)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -2.7 (--)

On 17/05/11 16:31, Paul Marinescu wrote:
> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
> an integer argument consists only of a single or double quote.
> 
> The printf spec mentions that an integer argument consisting of a
> single/double quote followed by a character is interpreted as the ASCII
> value of that character. However, when the quote is alone, the code in
> the STRTOX macro (printf.c:171) goes beyond the buffer associated with
> the argument.
> 
> Possible fix: report an error at printf.c:166 if ch is 0.

Good catch!
We'll apply something like the following which results in:

$ ./printf "%d\n" '"a"'
./printf: warning: ": character(s) following character constant have been ignored
97
$ ./printf "%d\n" '"a'
97
$ ./printf "%d\n" '"'
./printf: ": expected a numeric value
0
$ ./printf "%d\n" 'a'
./printf: a: expected a numeric value
0

cheers,
Pádraig.

diff --git a/src/printf.c b/src/printf.c
index e05947c..22a85e7 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s)                                            \
   char *end;                                                            \
   TYPE val;                                                             \
                                                                          \
-  if (*s == '\"' || *s == '\'')                                                 \
+  if ((*s == '\"' || *s == '\'') && *(s+1))                             \
     {                                                                   \
       unsigned char ch = *++s;                                          \
       val = ch;                                                                 \




From unknown Sun Jun 22 17:11:59 2025
MIME-Version: 1.0
X-Mailer: MIME-tools 5.427 (Entity 5.427)
X-Loop: help-debbugs@gnu.org
From: help-debbugs@gnu.org (GNU bug Tracking System)
To: Paul Marinescu <paul.marinescu@imperial.ac.uk>
Subject: bug#8683: closed (Re: bug#8683: printf out-of-bounds memory access)
Message-ID: <handler.8683.D8683.130567664921359.notifdone@debbugs.gnu.org>
References: <4DD30B06.8060808@draigBrady.com>
 <4DD294DC.9050006@imperial.ac.uk>
X-Gnu-PR-Message: they-closed 8683
X-Gnu-PR-Package: coreutils
Reply-To: 8683@debbugs.gnu.org
Date: Tue, 17 May 2011 23:58:02 +0000
Content-Type: multipart/mixed; boundary="----------=_1305676682-21398-1"

This is a multi-part message in MIME format...

------------=_1305676682-21398-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Your bug report

#8683: printf out-of-bounds memory access

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 8683@debbugs.gnu.org.

--=20
8683: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D8683
GNU Bug Tracking System
Contact help-debbugs@gnu.org with problems

------------=_1305676682-21398-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at 8683-done) by debbugs.gnu.org; 17 May 2011 23:57:29 +0000
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1QMU8n-0005YR-Dw
	for submit@debbugs.gnu.org; Tue, 17 May 2011 19:57:29 -0400
Received: from mail1.slb.deg.dub.stisp.net ([84.203.253.98])
	by debbugs.gnu.org with smtp (Exim 4.69)
	(envelope-from <P@draigBrady.com>) id 1QMU8k-0005YE-6g
	for 8683-done@debbugs.gnu.org; Tue, 17 May 2011 19:57:27 -0400
Received: (qmail 32578 invoked from network); 17 May 2011 23:57:19 -0000
Received: from unknown (HELO ?192.168.2.25?) (84.203.137.218)
	by mail1.slb.deg.dub.stisp.net with SMTP; 17 May 2011 23:57:19 -0000
Message-ID: <4DD30B06.8060808@draigBrady.com>
Date: Wed, 18 May 2011 00:55:50 +0100
From: =?ISO-8859-1?Q?P=E1draig_Brady?= <P@draigBrady.com>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US;
	rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3
MIME-Version: 1.0
Subject: Re: bug#8683: printf out-of-bounds memory access
References: <4DD294DC.9050006@imperial.ac.uk> <4DD29A3F.6050908@draigBrady.com>
In-Reply-To: <4DD29A3F.6050908@draigBrady.com>
X-Enigmail-Version: 1.0.1
Content-Type: multipart/mixed; boundary="------------070103000201020506000708"
X-Spam-Score: -2.0 (--)
X-Debbugs-Envelope-To: 8683-done
Cc: 8683-done@debbugs.gnu.org
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -2.0 (--)

This is a multi-part message in MIME format.
--------------070103000201020506000708
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit

On 17/05/11 16:54, Pádraig Brady wrote:
> On 17/05/11 16:31, Paul Marinescu wrote:
>> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
>> an integer argument consists only of a single or double quote.

I'll apply the attached fix soon.

thanks again,
Pádraig.

--------------070103000201020506000708
Content-Type: text/x-patch;
 name="printf-oob.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="printf-oob.diff"

>From 4d8f6b9f5716077bd423b98324547087f485425e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A1draig=20Brady?= <P@draigBrady.com>
Date: Wed, 18 May 2011 00:01:55 +0100
Subject: [PATCH] printf: fix an out-of-bounds memory access

* src/printf.c (STRTOX): Don't access memory after a
string containing a single quote character.
* tests/misc/printf: Add tests for various combinations
of single quote characters combined with a numeric format.
* THANKS.in: Add bug reporter.
* NEWS: Mention the fix.

Reported-by: Paul Marinescu <paul.marinescu@imperial.ac.uk>
---
 NEWS              |    5 +++++
 THANKS.in         |    1 +
 src/printf.c      |    2 +-
 tests/misc/printf |   23 +++++++++++++++++++++++
 4 files changed, 30 insertions(+), 1 deletions(-)

diff --git a/NEWS b/NEWS
index 7a7f761..88593ab 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,11 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 * Noteworthy changes in release ?.? (????-??-??) [?]
 
+** Bug fixes
+
+  printf '%d' '"' no longer accesses out-of-bounds memory in the diagnostic.
+  [bug introduced in sh-utils-1.16]
+
 ** New features
 
   split accepts a new --filter=CMD option.  With it, split filters output
diff --git a/THANKS.in b/THANKS.in
index 3156834..9120ba3 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -449,6 +449,7 @@ Patrick Mauritz                     oxygene@studentenbude.ath.cx
 Paul D. Smith                       psmith@gnu.org
 Paul Ghaleb                         paul.ghaleb@st.com
 Paul Jarc                           prj@po.cwru.edu
+Paul Marinescu                      paul.marinescu@imperial.ac.uk
 Paul Nevai                          nevai@ops.mps.ohio-state.edu
 Paul Sauer                          paul@alexa.com
 Paul Slootman                       paul@debian.org
diff --git a/src/printf.c b/src/printf.c
index e05947c..24070b8 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s)						 \
   char *end;								 \
   TYPE val;								 \
                                                                          \
-  if (*s == '\"' || *s == '\'')						 \
+  if ((*s == '\"' || *s == '\'') && *(s + 1))				 \
     {									 \
       unsigned char ch = *++s;						 \
       val = ch;								 \
diff --git a/tests/misc/printf b/tests/misc/printf
index 6404761..8f5f7d4 100755
--- a/tests/misc/printf
+++ b/tests/misc/printf
@@ -96,4 +96,27 @@ EOF
 
 compare out exp || fail=1
 
+# Verify handling of single quote chars
+
+"$prog" '%d\n' '"a'  >out 2>err   # valid
+"$prog" '%d\n' '"a"' >>out 2>>err # invalid
+"$prog" '%d\n' '"'   >>out 2>>err # invalid
+"$prog" '%d\n' 'a'   >>out 2>>err # invalid
+
+cat <<EOF > exp
+97
+97
+0
+0
+EOF
+
+cat <<EOF > exp_err
+$prog: warning: ": character(s) following character constant have been ignored
+$prog: ": expected a numeric value
+$prog: a: expected a numeric value
+EOF
+
+compare out exp || fail=1
+compare err exp_err || fail=1
+
 Exit $fail
-- 
1.7.4


--------------070103000201020506000708--


------------=_1305676682-21398-1
Content-Type: message/rfc822
Content-Disposition: inline
Content-Transfer-Encoding: 7bit

Received: (at submit) by debbugs.gnu.org; 17 May 2011 15:31:54 +0000
Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1QMMFV-0002Ys-QG
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:53 -0400
Received: from eggs.gnu.org ([140.186.70.92])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFT-0002Yg-HF
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:52 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFN-0003K6-FO
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:46 -0400
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on eggs.gnu.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED
	autolearn=unavailable version=3.3.1
Received: from lists.gnu.org ([140.186.70.17]:40791)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFN-0003K2-Dl
	for submit@debbugs.gnu.org; Tue, 17 May 2011 11:31:45 -0400
Received: from eggs.gnu.org ([140.186.70.92]:40852)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFM-00074A-J2
	for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:45 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFL-0003Jo-Uo
	for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:44 -0400
Received: from smtp1.cc.ic.ac.uk ([155.198.5.155]:41447)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <paul.marinescu@imperial.ac.uk>) id 1QMMFL-0003Jf-Qq
	for bug-coreutils@gnu.org; Tue, 17 May 2011 11:31:43 -0400
Received: from indomitable.doc.ic.ac.uk ([146.169.7.18])
	by smtp1.cc.ic.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.72)
	(envelope-from <paul.marinescu@imperial.ac.uk>)
	id 1QMMFI-00076x-Qt; Tue, 17 May 2011 16:31:40 +0100
Message-ID: <4DD294DC.9050006@imperial.ac.uk>
Date: Tue, 17 May 2011 16:31:40 +0100
From: Paul Marinescu <paul.marinescu@imperial.ac.uk>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
	rv:1.9.2.13) Gecko/20101208 Thunderbird/3.1.7
MIME-Version: 1.0
To: bug-coreutils@gnu.org
Subject: printf out-of-bounds memory access
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-IC-MsgID: 1QMMFI-00076x-Qt
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 140.186.70.17
X-Spam-Score: -6.1 (------)
X-Debbugs-Envelope-To: submit
Cc: Cristian Cadar <c.cadar@imperial.ac.uk>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <http://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <http://debbugs.gnu.org/pipermail/debbugs-submit>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <http://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>,
	<mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Sender: debbugs-submit-bounces@debbugs.gnu.org
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
X-Spam-Score: -6.1 (------)

In coreutils 8.12 (latest), printf can make an out-of-bounds access when 
an integer argument consists only of a single or double quote.

The printf spec mentions that an integer argument consisting of a 
single/double quote followed by a character is interpreted as the ASCII 
value of that character. However, when the quote is alone, the code in 
the STRTOX macro (printf.c:171) goes beyond the buffer associated with 
the argument.

Possible fix: report an error at printf.c:166 if ch is 0.


Paul



------------=_1305676682-21398-1--