[BusyBox 0004214]: printf reads uninitialized memory

bugs at busybox.net bugs at busybox.net
Sat Jul 19 22:21:57 UTC 2008


A NOTE has been added to this issue. 
====================================================================== 
http://busybox.net/bugs/view.php?id=4214 
====================================================================== 
Reported By:                cristic
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   4214
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             07-17-2008 16:37 PDT
Last Modified:              07-19-2008 15:21 PDT
====================================================================== 
Summary:                    printf reads uninitialized memory
Description: 
Hello, here is a test case that leads printf to read uninitialized memory:
./printf "%Ld\n" 10
39860182724902922
(output varies, since it reads garbage)

The problem is that this execution eventually invokes libc's printf with 
the same format specifier, and with the second argument my_xstrtol("10"). 

This returns a long (4 bytes on my machine), which is printed as a long
long 
(8 bytes on my machine).  Unfortunately, I don't see an easy fix here, 
because most conversion routines in Busybox seem to return longs.

--Cristian

====================================================================== 

---------------------------------------------------------------------- 
 vda - 07-18-08 11:42  
---------------------------------------------------------------------- 
Indded. Please test 6.patch. 

---------------------------------------------------------------------- 
 cristic - 07-18-08 16:49  
---------------------------------------------------------------------- 
This patch does prevent reading garbage when length modifiers are used, but
the fix also prevents printing valid large numbers:

$ busybox/printf "%Ld\n" 123123123123
printf: 123123123123: invalid number
0
$ coreutils/printf "%Ld\n" 123123123123
123123123123 

---------------------------------------------------------------------- 
 vda - 07-19-08 01:24  
---------------------------------------------------------------------- 
They were not printed before too, so patch does not break anything. As
before, we handle long-sized integers maximum. The patch IIRC even
explains where this can be fixed if needed. 

---------------------------------------------------------------------- 
 cristic - 07-19-08 15:21  
---------------------------------------------------------------------- 
I agree it doesn't break anything.  If long long support is not a concern
for now, we can close this report.  Thanks. 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
07-17-08 16:37  cristic        New Issue                                    
07-17-08 16:37  cristic        Status                   new => assigned     
07-17-08 16:37  cristic        Assigned To               => BusyBox         
07-17-08 16:37  cristic        Issue Monitored: cristic                     
07-18-08 11:40  vda            File Added: 6.patch                          
07-18-08 11:42  vda            Note Added: 0009754                          
07-18-08 16:49  cristic        Note Added: 0009764                          
07-19-08 01:24  vda            Note Added: 0009794                          
07-19-08 15:21  cristic        Note Added: 0009804                          
======================================================================




More information about the busybox-cvs mailing list