Re: mass bug filing for undefined sn?printf use
On Sun, Dec 28, 2008 at 12:02:46PM -0600, Steve Langasek wrote:
> On Sun, Dec 28, 2008 at 12:42:46AM -0800, Kees Cook wrote:
> > pcregrep -M 'sprintf\s*\(\s*([^,]*)\s*,\s*"%s[^"]*"\s*,\s*\1\s*,'
> > pcregrep -M 'snprintf\s*\(\s*([^,]*)\s*,[^,]*,\s*"%s[^"]*"\s*,\s*\1\s*,'
>
> I would note that this regexp, and the proposed solution, will not match
> i18nized format strings; i.e.,
>
> sprintf(buf, _("%s plus %d"), buf, k);
If _any_ of the translations doesn't start with %s, it will break. Oh, and
you used sprintf() not snprintf() -- it's a guaranteed trample&segfault
here. From what I've seen, many languages like to quote things not usually
quoted in English, so the core will be filled with '`', '“' or '»'.
The sprintf(buf, "%s foo", buf) hack is indeed something that should be
rooted out. It happens to work on glibc (usually), but it's neither
portable nor sane.
> I don't know whether these are also a problem in practice - but if so, using
> sprintf(buf + strlen(buf) [...]) is definitely wrong.
In that case, I see no choice but using a second buffer...
--
1KB // Microsoft corollary to Hanlon's razor:
// Never attribute to stupidity what can be
// adequately explained by malice.
Reply to: