[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#208308: *printf() and incomplete multibyte sequences may cause infinite loops in applications

found 208308 eglibc/2.13-36
tags 208308 + upstream patch
# C99 compliance
severity 208308 important
quit

Mike Hommey wrote:

> There is no "l" modifier, but still, the string goes through the
> multibyte conversion code, and fails because the string is invalid
> multibyte.

How about this patch?

Index: patches/any/cvs-vfprintf-binary.diff
===================================================================
--- patches/any/cvs-vfprintf-binary.diff	(révision 0)
+++ patches/any/cvs-vfprintf-binary.diff	(copie de travail)
@@ -0,0 +1,110 @@
+2012-09-28  Andreas Schwab  <schwab@linux-m68k.org>
+
+	[BZ #6530]
+	* stdio-common/vfprintf.c (process_string_arg): Revert
+	2000-07-22 change.
+
+2011-09-28  Jonathan Nieder  <jrnieder@gmail.com>
+
+	* stdio-common/Makefile (tst-sprintf-ENV): Set environment
+	for testcase.
+	* stdio-common/tst-sprintf.c: Include <locale.h>
+	(main): Test sprintf's handling of incomplete multibyte
+	characters.
+
+ stdio-common/Makefile      |  1 +
+ stdio-common/tst-sprintf.c | 13 +++++++++++++
+ stdio-common/vfprintf.c    | 39 +++------------------------------------
+ 3 files changed, 17 insertions(+), 36 deletions(-)
+
+diff --git a/stdio-common/Makefile b/stdio-common/Makefile
+index 1431a211..5625bd3e 100644
+--- a/stdio-common/Makefile
++++ b/stdio-common/Makefile
+@@ -136,6 +136,7 @@ CFLAGS-scanf17.c = -I../libio -I../stdlib -I../wcsmbs -I../time -I../string \
+ 
+ # We know the test has a format string problem.
+ CFLAGS-tst-sprintf.c = -Wno-format
++tst-sprintf-ENV = LOCPATH=$(common-objpfx)localedata
+ tst-sscanf-ENV = LOCPATH=$(common-objpfx)localedata
+ tst-swprintf-ENV = LOCPATH=$(common-objpfx)localedata
+ test-vfprintf-ENV = LOCPATH=$(common-objpfx)localedata
+diff --git a/stdio-common/tst-sprintf.c b/stdio-common/tst-sprintf.c
+index bfa79c9c..42159a26 100644
+--- a/stdio-common/tst-sprintf.c
++++ b/stdio-common/tst-sprintf.c
+@@ -1,5 +1,6 @@
+ #include <stdio.h>
+ #include <stdlib.h>
++#include <locale.h>
+ #include <string.h>
+ #include <gnu/option-groups.h>
+ 
+@@ -61,5 +62,17 @@ main (void)
+       result = 1;
+     }
+ 
++  if (setlocale (LC_ALL, "de_DE.UTF-8") == NULL)
++    {
++      puts ("cannot set locale");
++      result = 1;
++    }
++  else if (sprintf (buf, "%.8s\n", "Foo: \277") != 7
++	   || strcmp (buf, "Foo: \277\n") != 0)
++    {
++      printf ("sprintf (buf, \"%%.8s\\n\", \"Foo: \\277\") produced '%s' output\n", buf);
++      result = 1;
++    }
++
+   return result;
+ }
+diff --git a/stdio-common/vfprintf.c b/stdio-common/vfprintf.c
+index 927c0c26..25a2c5dd 100644
+--- a/stdio-common/vfprintf.c
++++ b/stdio-common/vfprintf.c
+@@ -1180,42 +1180,9 @@ vfprintf (FILE *s, const CHAR_T *format, va_list ap)
+ 	else if (!is_long && spec != L_('S'))				      \
+ 	  {								      \
+ 	    if (prec != -1)						      \
+-	      {								      \
+-		/* Search for the end of the string, but don't search past    \
+-		   the length (in bytes) specified by the precision.  Also    \
+-		   don't use incomplete characters.  */			      \
+-		if (! LOCALE_SUPPORT                                          \
+-                    ||_NL_CURRENT_WORD (LC_CTYPE, _NL_CTYPE_MB_CUR_MAX) == 1) \
+-		  len = __strnlen (string, prec);			      \
+-		else							      \
+-		  {							      \
+-		    /* In case we have a multibyte character set the	      \
+-		       situation is more complicated.  We must not copy	      \
+-		       bytes at the end which form an incomplete character. */\
+-		    size_t ignore_size = (unsigned) prec > 1024 ? 1024 : prec;\
+-		    wchar_t ignore[ignore_size];			      \
+-		    const char *str2 = string;				      \
+-		    const char *strend = string + prec;			      \
+-		    if (strend < string)				      \
+-		      strend = (const char *) UINTPTR_MAX;		      \
+-									      \
+-		    mbstate_t ps;					      \
+-		    memset (&ps, '\0', sizeof (ps));			      \
+-									      \
+-		    while (str2 != NULL && str2 < strend)		      \
+-		      if (__mbsnrtowcs (ignore, &str2, strend - str2,	      \
+-					ignore_size, &ps) == (size_t) -1)     \
+-			{						      \
+-			  done = -1;					      \
+-			  goto all_done;				      \
+-			}						      \
+-									      \
+-		    if (str2 == NULL)					      \
+-		      len = strlen (string);				      \
+-		    else						      \
+-		      len = str2 - string - (ps.__count & 7);		      \
+-		  }							      \
+-	      }								      \
++	      /* Search for the end of the string, but don't search past      \
++		 the length (in bytes) specified by the precision.  */	      \
++	      len = __strnlen (string, prec);				      \
+ 	    else							      \
+ 	      len = strlen (string);					      \
+ 	  }								      \
Index: patches/series
===================================================================
--- patches/series	(révision 5364)
+++ patches/series	(copie de travail)
@@ -367,3 +367,4 @@
 any/cvs-vfprintf-many-format-strings.diff
 any/cvs-strtod-overflow.diff
 any/cvs-arch-lowlevellock.diff
+any/cvs-vfprintf-binary.diff
Index: changelog
===================================================================
--- changelog	(révision 5364)
+++ changelog	(copie de travail)
@@ -1,6 +1,9 @@
 eglibc (2.13-37) UNRELEASED; urgency=low
 
-  * 
+  [ Jonathan Nieder ]
+  * patches/any/cvs-vfprintf-binary.diff: new patch from upstream to
+    print incomplete multibyte characters without complaint with %.<num>s.
+    Closes: #208308.
 
  -- Aurelien Jarno <aurel32@debian.org>  Fri, 26 Oct 2012 19:26:34 +0200
Reply to: