[BusyBox 0004214]: printf reads uninitialized memory
bugs at busybox.net
bugs at busybox.net
Wed Aug 20 00:56:18 UTC 2008
The following issue has been CLOSED
======================================================================
http://busybox.net/bugs/view.php?id=4214
======================================================================
Reported By: cristic
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 4214
Category: Other
Reproducibility: always
Severity: minor
Priority: normal
Status: closed
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 07-17-2008 16:37 PDT
Last Modified: 08-19-2008 17:56 PDT
======================================================================
Summary: printf reads uninitialized memory
Description:
Hello, here is a test case that leads printf to read uninitialized memory:
./printf "%Ld\n" 10
39860182724902922
(output varies, since it reads garbage)
The problem is that this execution eventually invokes libc's printf with
the same format specifier, and with the second argument my_xstrtol("10").
This returns a long (4 bytes on my machine), which is printed as a long
long
(8 bytes on my machine). Unfortunately, I don't see an easy fix here,
because most conversion routines in Busybox seem to return longs.
--Cristian
======================================================================
----------------------------------------------------------------------
vda - 07-18-08 11:42
----------------------------------------------------------------------
Indded. Please test 6.patch.
----------------------------------------------------------------------
cristic - 07-18-08 16:49
----------------------------------------------------------------------
This patch does prevent reading garbage when length modifiers are used, but
the fix also prevents printing valid large numbers:
$ busybox/printf "%Ld\n" 123123123123
printf: 123123123123: invalid number
0
$ coreutils/printf "%Ld\n" 123123123123
123123123123
----------------------------------------------------------------------
vda - 07-19-08 01:24
----------------------------------------------------------------------
They were not printed before too, so patch does not break anything. As
before, we handle long-sized integers maximum. The patch IIRC even
explains where this can be fixed if needed.
----------------------------------------------------------------------
cristic - 07-19-08 15:21
----------------------------------------------------------------------
I agree it doesn't break anything. If long long support is not a concern
for now, we can close this report. Thanks.
Issue History
Date Modified Username Field Change
======================================================================
07-17-08 16:37 cristic New Issue
07-17-08 16:37 cristic Status new => assigned
07-17-08 16:37 cristic Assigned To => BusyBox
07-17-08 16:37 cristic Issue Monitored: cristic
07-18-08 11:40 vda File Added: 6.patch
07-18-08 11:42 vda Note Added: 0009754
07-18-08 16:49 cristic Note Added: 0009764
07-19-08 01:24 vda Note Added: 0009794
07-19-08 15:21 cristic Note Added: 0009804
08-19-08 17:56 vda Status assigned => closed
======================================================================
More information about the busybox-cvs
mailing list