GNU bug report logs -
#8683
printf out-of-bounds memory access
Previous Next
Full log
View this message in rfc822 format
On 17/05/11 16:31, Paul Marinescu wrote:
> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
> an integer argument consists only of a single or double quote.
>
> The printf spec mentions that an integer argument consisting of a
> single/double quote followed by a character is interpreted as the ASCII
> value of that character. However, when the quote is alone, the code in
> the STRTOX macro (printf.c:171) goes beyond the buffer associated with
> the argument.
>
> Possible fix: report an error at printf.c:166 if ch is 0.
Good catch!
We'll apply something like the following which results in:
$ ./printf "%d\n" '"a"'
./printf: warning: ": character(s) following character constant have been ignored
97
$ ./printf "%d\n" '"a'
97
$ ./printf "%d\n" '"'
./printf: ": expected a numeric value
0
$ ./printf "%d\n" 'a'
./printf: a: expected a numeric value
0
cheers,
Pádraig.
diff --git a/src/printf.c b/src/printf.c
index e05947c..22a85e7 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s) \
char *end; \
TYPE val; \
\
- if (*s == '\"' || *s == '\'') \
+ if ((*s == '\"' || *s == '\'') && *(s+1)) \
{ \
unsigned char ch = *++s; \
val = ch; \
This bug report was last modified 14 years and 11 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.