GNU bug report logs - #8683
printf out-of-bounds memory access

Previous Next

Package: coreutils;

Reported by: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>

Date: Tue, 17 May 2011 15:32:02 UTC

Severity: normal

Done: Pádraig Brady <P <at> draigBrady.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>
Subject: bug#8683: closed (Re: bug#8683: printf out-of-bounds memory access)
Date: Tue, 17 May 2011 23:58:02 +0000

[Message part 1 (text/plain, inline)]
Your bug report

#8683: printf out-of-bounds memory access

which was filed against the coreutils package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 8683 <at> debbugs.gnu.org.

-- 
8683: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=8683
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]
From: Pádraig Brady <P <at> draigBrady.com>
Cc: 8683-done <at> debbugs.gnu.org
Subject: Re: bug#8683: printf out-of-bounds memory access
Date: Wed, 18 May 2011 00:55:50 +0100

[Message part 3 (text/plain, inline)]
On 17/05/11 16:54, Pádraig Brady wrote:
> On 17/05/11 16:31, Paul Marinescu wrote:
>> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
>> an integer argument consists only of a single or double quote.

I'll apply the attached fix soon.

thanks again,
Pádraig.

[printf-oob.diff (text/x-patch, attachment)]
[Message part 5 (message/rfc822, inline)]
From: Paul Marinescu <paul.marinescu <at> imperial.ac.uk>
To: bug-coreutils <at> gnu.org
Cc: Cristian Cadar <c.cadar <at> imperial.ac.uk>
Subject: printf out-of-bounds memory access
Date: Tue, 17 May 2011 16:31:40 +0100

In coreutils 8.12 (latest), printf can make an out-of-bounds access when 
an integer argument consists only of a single or double quote.

The printf spec mentions that an integer argument consisting of a 
single/double quote followed by a character is interpreted as the ASCII 
value of that character. However, when the quote is alone, the code in 
the STRTOX macro (printf.c:171) goes beyond the buffer associated with 
the argument.

Possible fix: report an error at printf.c:166 if ch is 0.


Paul
This bug report was last modified 14 years and 11 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.