GNU bug report logs - #8683
printf out-of-bounds memory access

Previous Next

Package: coreutils;

Reported by: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>

Date: Tue, 17 May 2011 15:32:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Pádraig Brady <P <at> draigBrady.com>
Cc: tracker <at> debbugs.gnu.org
Subject: bug#8683: closed (printf out-of-bounds memory access)
Date: Tue, 17 May 2011 23:58:01 +0000

[Message part 1 (text/plain, inline)]
Your message dated Wed, 18 May 2011 00:55:50 +0100
with message-id <4DD30B06.8060808 <at> draigBrady.com>
and subject line Re: bug#8683: printf out-of-bounds memory access
has caused the GNU bug report #8683,
regarding printf out-of-bounds memory access
to be marked as done.

(If you believe you have received this mail in error, please contact
help-debbugs <at> gnu.org.)


-- 
8683: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=8683
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>
To: bug-coreutils <at> gnu.org
Cc: Cristian Cadar <c.cadar <at> imperial.ac.uk>
Subject: printf out-of-bounds memory access
Date: Tue, 17 May 2011 16:31:40 +0100

In coreutils 8.12 (latest), printf can make an out-of-bounds access when 
an integer argument consists only of a single or double quote.

The printf spec mentions that an integer argument consisting of a 
single/double quote followed by a character is interpreted as the ASCII 
value of that character. However, when the quote is alone, the code in 
the STRTOX macro (printf.c:171) goes beyond the buffer associated with 
the argument.

Possible fix: report an error at printf.c:166 if ch is 0.


Paul



[Message part 3 (message/rfc822, inline)]
From: Pádraig Brady <P <at> draigBrady.com>
Cc: 8683-done <at> debbugs.gnu.org
Subject: Re: bug#8683: printf out-of-bounds memory access
Date: Wed, 18 May 2011 00:55:50 +0100

[Message part 4 (text/plain, inline)]
On 17/05/11 16:54, Pádraig Brady wrote:
> On 17/05/11 16:31, Paul Marinescu wrote:
>> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
>> an integer argument consists only of a single or double quote.

I'll apply the attached fix soon.

thanks again,
Pádraig.

[printf-oob.diff (text/x-patch, attachment)]
This bug report was last modified 14 years and 11 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.