[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#8683: printf out-of-bounds memory access
From: |
Pádraig Brady |
Subject: |
bug#8683: printf out-of-bounds memory access |
Date: |
Tue, 17 May 2011 16:54:39 +0100 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 |
On 17/05/11 16:31, Paul Marinescu wrote:
> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
> an integer argument consists only of a single or double quote.
>
> The printf spec mentions that an integer argument consisting of a
> single/double quote followed by a character is interpreted as the ASCII
> value of that character. However, when the quote is alone, the code in
> the STRTOX macro (printf.c:171) goes beyond the buffer associated with
> the argument.
>
> Possible fix: report an error at printf.c:166 if ch is 0.
Good catch!
We'll apply something like the following which results in:
$ ./printf "%d\n" '"a"'
./printf: warning: ": character(s) following character constant have been
ignored
97
$ ./printf "%d\n" '"a'
97
$ ./printf "%d\n" '"'
./printf: ": expected a numeric value
0
$ ./printf "%d\n" 'a'
./printf: a: expected a numeric value
0
cheers,
Pádraig.
diff --git a/src/printf.c b/src/printf.c
index e05947c..22a85e7 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s)
\
char *end; \
TYPE val; \
\
- if (*s == '\"' || *s == '\'')
\
+ if ((*s == '\"' || *s == '\'') && *(s+1)) \
{ \
unsigned char ch = *++s; \
val = ch;
\