[PATCH] wprintf overflow

Wed Mar 12 11:03:49 UTC 2008

Hi,
Apologies, discard my previous patch (I inverted the old with new file in
the diff 
command), consider the follow one:

--- uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c	2008-02-07
08:04:14.400000000 +0100
+++ uClibc-nptl-new/libc/stdio/_vfprintf.c	2008-03-12
11:50:47.930003000 +0100
@@ -896,7 +896,8 @@ int attribute_hidden _ppfs_parsespec(ppf
 			if ((buf[i] = (char) (((wchar_t *)
ppfs->fmtpos)[i-1]))
 				!= (((wchar_t *) ppfs->fmtpos)[i-1])
 				) {
-				return -1;
+				buf[i] = 0;
+				break;
 			}
 		} while (buf[i++] && (i < sizeof(buf)));
 		buf[sizeof(buf)-1] = 0; 

> -----Original Message-----
> From: filippo arcidiacono [mailto:filippo.arcidiacono at st.com] 
> Sent: Tuesday, March 11, 2008 5:37 PM
> To: 'Kevin Cernekee'; 'Carmelo AMOROSO'
> Cc: 'uclibc at uclibc.org'
> Subject: RE: [PATCH] wprintf overflow
> 
> Hi,
> Your patch fix the problem when a wide character is in the 
> format string, but there Are some problem if the wide char is 
> in the format specifier. Have you any idea about this one?
> In my opinion your patch have to be the follow (just to be in 
> synch with the latest version of the thrunk): 
> --- uClibc-nptl-new/libc/stdio/_vfprintf.c	2008-03-11 
> 17:22:16.590005000 +0100
> +++ uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c	
> 2008-02-07 08:04:14.400000000 +0100
> @@ -896,8 +896,7 @@ int attribute_hidden _ppfs_parsespec(ppf
>  			if ((buf[i] = (char) (((wchar_t *) 
> ppfs->fmtpos)[i-1]))
>  				!= (((wchar_t *) ppfs->fmtpos)[i-1])
>  				) {
> -				buf[i] = 0;
> -				break;
> +				return -1;
>  			}
>  		} while (buf[i++] && (i < sizeof(buf)));
>  		buf[sizeof(buf)-1] = 0; 
> 
> > -----Original Message-----
> > From: uclibc-bounces at uclibc.org
> > [mailto:uclibc-bounces at uclibc.org] On Behalf Of Kevin Cernekee
> > Sent: Tuesday, February 26, 2008 6:46 AM
> > To: Carmelo AMOROSO
> > Cc: uclibc at uclibc.org
> > Subject: Re: [PATCH] wprintf overflow
> > 
> > 
> > On Thu, 7 Feb 2008, Carmelo AMOROSO wrote:
> > 
> > > The fix I committed I think it's better... because solve 
> the stack 
> > > overflow but keep the check against higher character.
> > > I tested it and it works. Let me know your comments.
> > 
> > Hi,
> > 
> > One of the concerns I had with that loop is that it always 
> aborts the 
> > parser if it trips on a "wider" character during the copy, 
> even if it 
> > wasn't part of the format specifier.
> > For instance:
> > 
> > wprintf(L"%d %d %d \x0101\n", 1, 2, 3);
> > 
> > I don't know if this is a problem in real life, but I erred on the 
> > side of caution and wound up using this fix:
> > 
> > --- uClibc-nptl-0.9.29-20070423.orig/libc/stdio/_vfprintf.c	
> > 2006-06-19 19:32:05.000000000 -0700
> > +++ uClibc-nptl-0.9.29-20070423/libc/stdio/_vfprintf.c	
> > 2008-01-16 15:18:19.000000000 -0800
> > @@ -893,10 +893,13 @@
> >  		fmt = buf + 1;
> >  		i = 0;
> >  		do {
> > +			if(i == sizeof(buf))
> > +				break;
> >  			if ((buf[i] = (char) (((wchar_t *)
> > ppfs->fmtpos)[i-1]))
> >  				!= (((wchar_t *) ppfs->fmtpos)[i-1])
> >  				) {
> > -				return -1;
> > +				buf[i] = 0;
> > +				break;
> >  			}
> >  		} while (buf[i++]);
> >  		buf[sizeof(buf)-1] = 0;
> > _______________________________________________
> > uClibc mailing list
> > uClibc at uclibc.org
> > http://busybox.net/cgi-bin/mailman/listinfo/uclibc
> > 
> 


