[PATCH] wprintf overflow

Kevin Cernekee kpc-uclibc at b32.net
Tue Feb 26 05:45:59 UTC 2008


On Thu, 7 Feb 2008, Carmelo AMOROSO wrote:

> The fix I committed I think it's better... because solve the stack
> overflow but keep the check against
> higher character.
> I tested it and it works. Let me know your comments.

Hi,

One of the concerns I had with that loop is that it always aborts the
parser if it trips on a "wider" character during the copy, even if it
wasn't part of the format specifier.  For instance:

wprintf(L"%d %d %d \x0101\n", 1, 2, 3);

I don't know if this is a problem in real life, but I erred on the side of
caution and wound up using this fix:

--- uClibc-nptl-0.9.29-20070423.orig/libc/stdio/_vfprintf.c	2006-06-19 19:32:05.000000000 -0700
+++ uClibc-nptl-0.9.29-20070423/libc/stdio/_vfprintf.c	2008-01-16 15:18:19.000000000 -0800
@@ -893,10 +893,13 @@
 		fmt = buf + 1;
 		i = 0;
 		do {
+			if(i == sizeof(buf))
+				break;
 			if ((buf[i] = (char) (((wchar_t *) ppfs->fmtpos)[i-1]))
 				!= (((wchar_t *) ppfs->fmtpos)[i-1])
 				) {
-				return -1;
+				buf[i] = 0;
+				break;
 			}
 		} while (buf[i++]);
 		buf[sizeof(buf)-1] = 0;



More information about the uClibc mailing list