[PATCH] wprintf overflow
Filippo ARCIDIACONO
filippo.arcidiacono at st.com
Wed Mar 12 11:03:49 UTC 2008
Hi,
Apologies, discard my previous patch (I inverted the old with new file in
the diff
command), consider the follow one:
--- uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c 2008-02-07
08:04:14.400000000 +0100
+++ uClibc-nptl-new/libc/stdio/_vfprintf.c 2008-03-12
11:50:47.930003000 +0100
@@ -896,7 +896,8 @@ int attribute_hidden _ppfs_parsespec(ppf
if ((buf[i] = (char) (((wchar_t *)
ppfs->fmtpos)[i-1]))
!= (((wchar_t *) ppfs->fmtpos)[i-1])
) {
- return -1;
+ buf[i] = 0;
+ break;
}
} while (buf[i++] && (i < sizeof(buf)));
buf[sizeof(buf)-1] = 0;
> -----Original Message-----
> From: filippo arcidiacono [mailto:filippo.arcidiacono at st.com]
> Sent: Tuesday, March 11, 2008 5:37 PM
> To: 'Kevin Cernekee'; 'Carmelo AMOROSO'
> Cc: 'uclibc at uclibc.org'
> Subject: RE: [PATCH] wprintf overflow
>
> Hi,
> Your patch fix the problem when a wide character is in the
> format string, but there Are some problem if the wide char is
> in the format specifier. Have you any idea about this one?
> In my opinion your patch have to be the follow (just to be in
> synch with the latest version of the thrunk):
> --- uClibc-nptl-new/libc/stdio/_vfprintf.c 2008-03-11
> 17:22:16.590005000 +0100
> +++ uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c
> 2008-02-07 08:04:14.400000000 +0100
> @@ -896,8 +896,7 @@ int attribute_hidden _ppfs_parsespec(ppf
> if ((buf[i] = (char) (((wchar_t *)
> ppfs->fmtpos)[i-1]))
> != (((wchar_t *) ppfs->fmtpos)[i-1])
> ) {
> - buf[i] = 0;
> - break;
> + return -1;
> }
> } while (buf[i++] && (i < sizeof(buf)));
> buf[sizeof(buf)-1] = 0;
>
> > -----Original Message-----
> > From: uclibc-bounces at uclibc.org
> > [mailto:uclibc-bounces at uclibc.org] On Behalf Of Kevin Cernekee
> > Sent: Tuesday, February 26, 2008 6:46 AM
> > To: Carmelo AMOROSO
> > Cc: uclibc at uclibc.org
> > Subject: Re: [PATCH] wprintf overflow
> >
> >
> > On Thu, 7 Feb 2008, Carmelo AMOROSO wrote:
> >
> > > The fix I committed I think it's better... because solve
> the stack
> > > overflow but keep the check against higher character.
> > > I tested it and it works. Let me know your comments.
> >
> > Hi,
> >
> > One of the concerns I had with that loop is that it always
> aborts the
> > parser if it trips on a "wider" character during the copy,
> even if it
> > wasn't part of the format specifier.
> > For instance:
> >
> > wprintf(L"%d %d %d \x0101\n", 1, 2, 3);
> >
> > I don't know if this is a problem in real life, but I erred on the
> > side of caution and wound up using this fix:
> >
> > --- uClibc-nptl-0.9.29-20070423.orig/libc/stdio/_vfprintf.c
> > 2006-06-19 19:32:05.000000000 -0700
> > +++ uClibc-nptl-0.9.29-20070423/libc/stdio/_vfprintf.c
> > 2008-01-16 15:18:19.000000000 -0800
> > @@ -893,10 +893,13 @@
> > fmt = buf + 1;
> > i = 0;
> > do {
> > + if(i == sizeof(buf))
> > + break;
> > if ((buf[i] = (char) (((wchar_t *)
> > ppfs->fmtpos)[i-1]))
> > != (((wchar_t *) ppfs->fmtpos)[i-1])
> > ) {
> > - return -1;
> > + buf[i] = 0;
> > + break;
> > }
> > } while (buf[i++]);
> > buf[sizeof(buf)-1] = 0;
> > _______________________________________________
> > uClibc mailing list
> > uClibc at uclibc.org
> > http://busybox.net/cgi-bin/mailman/listinfo/uclibc
> >
>
More information about the uClibc
mailing list