2007-12-08 Ulrich Drepper <drepper@redhat.com>
[BZ #5424]
* stdio-common/vfprintf.c: Do not overflow when adding to done.
* stdio-common/Makefile (tests): Add bug22.
* stdio-common/bug22.c: New file.
--- libc/stdio-common/vfprintf.c 6 Nov 2007 21:38:38 -0000 1.143
+++ libc/stdio-common/vfprintf.c 10 Dec 2007 01:42:44 -0000 1.144
@@ -64,6 +64,19 @@
} while (0)
#define UNBUFFERED_P(S) ((S)->_IO_file_flags & _IO_UNBUFFERED)
+#define done_add(val) \
+ do { \
+ unsigned int _val = val; \
+ assert ((unsigned int) done < (unsigned int) INT_MAX); \
+ if (__builtin_expect ((unsigned int) INT_MAX - (unsigned int) done \
+ < _val, 0)) \
+ { \
+ done = -1; \
+ goto all_done; \
+ } \
+ done += _val; \
+ } while (0)
+
#ifndef COMPILE_WPRINTF
# define vfprintf _IO_vfprintf_internal
# define CHAR_T char
@@ -76,7 +89,7 @@
# define PUT(F, S, N) _IO_sputn ((F), (S), (N))
# define PAD(Padchar) \
if (width > 0) \
- done += INTUSE(_IO_padn) (s, (Padchar), width)
+ done_add (INTUSE(_IO_padn) (s, (Padchar), width))
# define PUTC(C, F) _IO_putc_unlocked (C, F)
# define ORIENT if (_IO_vtable_offset (s) == 0 && _IO_fwide (s, -1) != -1)\
return -1
@@ -95,7 +108,7 @@
# define PUT(F, S, N) _IO_sputn ((F), (S), (N))
# define PAD(Padchar) \
if (width > 0) \
- done += _IO_wpadn (s, (Padchar), width)
+ done_add (_IO_wpadn (s, (Padchar), width))
# define PUTC(C, F) _IO_putwc_unlocked (C, F)
# define ORIENT if (_IO_fwide (s, 1) != 1) return -1
@@ -116,20 +129,21 @@
do \
{ \
register const INT_T outc = (Ch); \
- if (PUTC (outc, s) == EOF) \
+ if (PUTC (outc, s) == EOF || done == INT_MAX) \
{ \
done = -1; \
goto all_done; \
} \
- else \
- ++done; \
+ ++done; \
} \
while (0)
#define outstring(String, Len) \
do \
{ \
- if ((size_t) PUT (s, (String), (Len)) != (size_t) (Len)) \
+ assert ((size_t) done <= (size_t) INT_MAX); \
+ if ((size_t) PUT (s, (String), (Len)) != (size_t) (Len) \
+ || (size_t) INT_MAX - (size_t) done < (size_t) (Len)) \
{ \
done = -1; \
goto all_done; \
@@ -811,7 +825,7 @@ vfprintf (FILE *s, const CHAR_T *format,
goto all_done; \
} \
\
- done += function_done; \
+ done_add (function_done); \
} \
break; \
\
@@ -865,7 +879,7 @@ vfprintf (FILE *s, const CHAR_T *format,
goto all_done; \
} \
\
- done += function_done; \
+ done_add (function_done); \
} \
break; \
\
@@ -1893,7 +1907,7 @@ do_positional:
goto all_done;
}
- done += function_done;
+ done_add (function_done);
}
break;
}
--- libc/stdio-common/Makefile 28 Oct 2007 16:45:08 -0000 1.110
+++ libc/stdio-common/Makefile 10 Dec 2007 01:43:13 -0000 1.111
@@ -55,7 +55,7 @@ tests := tstscanf test_rdwr test-popen t
tst-perror tst-sprintf tst-rndseek tst-fdopen tst-fphex bug14 bug15 \
tst-popen tst-unlockedio tst-fmemopen2 tst-put-error tst-fgets \
tst-fwrite bug16 bug17 tst-sprintf2 bug18 bug18a bug19 bug19a \
- tst-popen2 bug20
+ tst-popen2 bug20 bug22
test-srcs = tst-unbputc tst-printf
--- libc/stdio-common/bug22.c 1 Jan 1970 00:00:00 -0000
+++ libc/stdio-common/bug22.c 10 Dec 2007 01:43:01 -0000 1.1
@@ -0,0 +1,32 @@
+/* BZ #5424 */
+#include <stdio.h>
+
+#define N 2147483648
+
+#define STRINGIFY(S) #S
+#define MAKE_STR(S) STRINGIFY(S)
+
+#define SN MAKE_STR(N)
+
+static int
+do_test (void)
+{
+ int ret;
+
+ FILE *fp = fopen ("/dev/null", "w");
+ if (fp == NULL)
+ {
+ puts ("cannot open /dev/null");
+ return 1;
+ }
+
+ ret = fprintf (fp, "%" SN "d%" SN "d", 1, 1);
+
+ printf ("ret = %d\n", ret);
+
+ return ret != -1;
+}
+
+#define TIMEOUT 30
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
distrib
>
Scientific%20Linux
>
5x
>
x86_64
>
by-pkgid
>
bee470e21a8ce2cdd844d7d805aa403d
>
files
>
68
