Bug#208308: *printf() and incomplete multibyte sequences may cause infinite loops in applications
found 208308 eglibc/2.13-36
tags 208308 + upstream patch
# C99 compliance
severity 208308 important
quit
Mike Hommey wrote:
> There is no "l" modifier, but still, the string goes through the
> multibyte conversion code, and fails because the string is invalid
> multibyte.
How about this patch?
Index: patches/any/cvs-vfprintf-binary.diff
===================================================================
--- patches/any/cvs-vfprintf-binary.diff (révision 0)
+++ patches/any/cvs-vfprintf-binary.diff (copie de travail)
@@ -0,0 +1,110 @@
+2012-09-28 Andreas Schwab <schwab@linux-m68k.org>
+
+ [BZ #6530]
+ * stdio-common/vfprintf.c (process_string_arg): Revert
+ 2000-07-22 change.
+
+2011-09-28 Jonathan Nieder <jrnieder@gmail.com>
+
+ * stdio-common/Makefile (tst-sprintf-ENV): Set environment
+ for testcase.
+ * stdio-common/tst-sprintf.c: Include <locale.h>
+ (main): Test sprintf's handling of incomplete multibyte
+ characters.
+
+ stdio-common/Makefile | 1 +
+ stdio-common/tst-sprintf.c | 13 +++++++++++++
+ stdio-common/vfprintf.c | 39 +++------------------------------------
+ 3 files changed, 17 insertions(+), 36 deletions(-)
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index 1431a211..5625bd3e 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -136,6 +136,7 @@ CFLAGS-scanf17.c = -I../libio -I../stdlib -I../wcsmbs -I../time -I../string \
+
+ # We know the test has a format string problem.
+ CFLAGS-tst-sprintf.c = -Wno-format
++tst-sprintf-ENV = LOCPATH=$(common-objpfx)localedata
+ tst-sscanf-ENV = LOCPATH=$(common-objpfx)localedata
+ tst-swprintf-ENV = LOCPATH=$(common-objpfx)localedata
+ test-vfprintf-ENV = LOCPATH=$(common-objpfx)localedata
+diff --git a/stdio-common/tst-sprintf.c b/stdio-common/tst-sprintf.c
+index bfa79c9c..42159a26 100644
+--- a/stdio-common/tst-sprintf.c
++++ b/stdio-common/tst-sprintf.c
+@@ -1,5 +1,6 @@
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <locale.h>
+ #include <string.h>
+ #include <gnu/option-groups.h>
+
+@@ -61,5 +62,17 @@ main (void)
+ result = 1;
+ }
+
++ if (setlocale (LC_ALL, "de_DE.UTF-8") == NULL)
++ {
++ puts ("cannot set locale");
++ result = 1;
++ }
++ else if (sprintf (buf, "%.8s\n", "Foo: \277") != 7
++ || strcmp (buf, "Foo: \277\n") != 0)
++ {
++ printf ("sprintf (buf, \"%%.8s\\n\", \"Foo: \\277\") produced '%s' output\n", buf);
++ result = 1;
++ }
++
+ return result;
+ }
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 927c0c26..25a2c5dd 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1180,42 +1180,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+ else if (!is_long && spec != L_('S')) \
+ { \
+ if (prec != -1) \
+- { \
+- /* Search for the end of the string, but don't search past \
+- the length (in bytes) specified by the precision. Also \
+- don't use incomplete characters. */ \
+- if (! LOCALE_SUPPORT \
+- ||_NL_CURRENT_WORD (LC_CTYPE, _NL_CTYPE_MB_CUR_MAX) == 1) \
+- len = __strnlen (string, prec); \
+- else \
+- { \
+- /* In case we have a multibyte character set the \
+- situation is more complicated. We must not copy \
+- bytes at the end which form an incomplete character. */\
+- size_t ignore_size = (unsigned) prec > 1024 ? 1024 : prec;\
+- wchar_t ignore[ignore_size]; \
+- const char *str2 = string; \
+- const char *strend = string + prec; \
+- if (strend < string) \
+- strend = (const char *) UINTPTR_MAX; \
+- \
+- mbstate_t ps; \
+- memset (&ps, '\0', sizeof (ps)); \
+- \
+- while (str2 != NULL && str2 < strend) \
+- if (__mbsnrtowcs (ignore, &str2, strend - str2, \
+- ignore_size, &ps) == (size_t) -1) \
+- { \
+- done = -1; \
+- goto all_done; \
+- } \
+- \
+- if (str2 == NULL) \
+- len = strlen (string); \
+- else \
+- len = str2 - string - (ps.__count & 7); \
+- } \
+- } \
++ /* Search for the end of the string, but don't search past \
++ the length (in bytes) specified by the precision. */ \
++ len = __strnlen (string, prec); \
+ else \
+ len = strlen (string); \
+ } \
Index: patches/series
===================================================================
--- patches/series (révision 5364)
+++ patches/series (copie de travail)
@@ -367,3 +367,4 @@
any/cvs-vfprintf-many-format-strings.diff
any/cvs-strtod-overflow.diff
any/cvs-arch-lowlevellock.diff
+any/cvs-vfprintf-binary.diff
Index: changelog
===================================================================
--- changelog (révision 5364)
+++ changelog (copie de travail)
@@ -1,6 +1,9 @@
eglibc (2.13-37) UNRELEASED; urgency=low
- *
+ [ Jonathan Nieder ]
+ * patches/any/cvs-vfprintf-binary.diff: new patch from upstream to
+ print incomplete multibyte characters without complaint with %.<num>s.
+ Closes: #208308.
-- Aurelien Jarno <aurel32@debian.org> Fri, 26 Oct 2012 19:26:34 +0200
Reply to: