[PATCH] wprintf overflow

Filippo ARCIDIACONO filippo.arcidiacono at st.com
Tue Mar 11 16:37:16 UTC 2008 

Hi,
Your patch fix the problem when a wide character is in the format string,
but there
Are some problem if the wide char is in the format specifier. Have you any
idea about this one?
In my opinion your patch have to be the follow (just to be in synch with the
latest version of the thrunk): 
--- uClibc-nptl-new/libc/stdio/_vfprintf.c	2008-03-11
17:22:16.590005000 +0100
+++ uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c	2008-02-07
08:04:14.400000000 +0100
@@ -896,8 +896,7 @@ int attribute_hidden _ppfs_parsespec(ppf
 			if ((buf[i] = (char) (((wchar_t *)
ppfs->fmtpos)[i-1]))
 				!= (((wchar_t *) ppfs->fmtpos)[i-1])
 				) {
-				buf[i] = 0;
-				break;
+				return -1;
 			}
 		} while (buf[i++] && (i < sizeof(buf)));
 		buf[sizeof(buf)-1] = 0; 

> -----Original Message-----
> From: uclibc-bounces at uclibc.org 
> [mailto:uclibc-bounces at uclibc.org] On Behalf Of Kevin Cernekee
> Sent: Tuesday, February 26, 2008 6:46 AM
> To: Carmelo AMOROSO
> Cc: uclibc at uclibc.org
> Subject: Re: [PATCH] wprintf overflow
> 
> 
> On Thu, 7 Feb 2008, Carmelo AMOROSO wrote:
> 
> > The fix I committed I think it's better... because solve the stack 
> > overflow but keep the check against higher character.
> > I tested it and it works. Let me know your comments.
> 
> Hi,
> 
> One of the concerns I had with that loop is that it always 
> aborts the parser if it trips on a "wider" character during 
> the copy, even if it wasn't part of the format specifier.  
> For instance:
> 
> wprintf(L"%d %d %d \x0101\n", 1, 2, 3);
> 
> I don't know if this is a problem in real life, but I erred 
> on the side of caution and wound up using this fix:
> 
> --- uClibc-nptl-0.9.29-20070423.orig/libc/stdio/_vfprintf.c	
> 2006-06-19 19:32:05.000000000 -0700
> +++ uClibc-nptl-0.9.29-20070423/libc/stdio/_vfprintf.c	
> 2008-01-16 15:18:19.000000000 -0800
> @@ -893,10 +893,13 @@
>  		fmt = buf + 1;
>  		i = 0;
>  		do {
> +			if(i == sizeof(buf))
> +				break;
>  			if ((buf[i] = (char) (((wchar_t *) 
> ppfs->fmtpos)[i-1]))
>  				!= (((wchar_t *) ppfs->fmtpos)[i-1])
>  				) {
> -				return -1;
> +				buf[i] = 0;
> +				break;
>  			}
>  		} while (buf[i++]);
>  		buf[sizeof(buf)-1] = 0;
> _______________________________________________
> uClibc mailing list
> uClibc at uclibc.org
> http://busybox.net/cgi-bin/mailman/listinfo/uclibc
>

More information about the uClibc mailing list