[PATCH] wprintf overflow
Kevin Cernekee
kpc-uclibc at b32.net
Mon Feb 25 21:45:59 PST 2008
On Thu, 7 Feb 2008, Carmelo AMOROSO wrote:
> The fix I committed I think it's better... because solve the stack
> overflow but keep the check against
> higher character.
> I tested it and it works. Let me know your comments.
Hi,
One of the concerns I had with that loop is that it always aborts the
parser if it trips on a "wider" character during the copy, even if it
wasn't part of the format specifier. For instance:
wprintf(L"%d %d %d \x0101\n", 1, 2, 3);
I don't know if this is a problem in real life, but I erred on the side of
caution and wound up using this fix:
--- uClibc-nptl-0.9.29-20070423.orig/libc/stdio/_vfprintf.c 2006-06-19 19:32:05.000000000 -0700
+++ uClibc-nptl-0.9.29-20070423/libc/stdio/_vfprintf.c 2008-01-16 15:18:19.000000000 -0800
@@ -893,10 +893,13 @@
fmt = buf + 1;
i = 0;
do {
+ if(i == sizeof(buf))
+ break;
if ((buf[i] = (char) (((wchar_t *) ppfs->fmtpos)[i-1]))
!= (((wchar_t *) ppfs->fmtpos)[i-1])
) {
- return -1;
+ buf[i] = 0;
+ break;
}
} while (buf[i++]);
buf[sizeof(buf)-1] = 0;
More information about the uClibc
mailing list