mirror of
git://sourceware.org/git/glibc.git
synced 2024-11-21 01:12:26 +08:00
2d9837c1fb
According to ISO C99, passing the same buffer as source and destination
to sprintf, snprintf, vsprintf, or vsnprintf has undefined behavior.
Until the commit
commit 4e2f43f842
Author: Zack Weinberg <zackw@panix.com>
Date: Wed Mar 7 14:32:03 2018 -0500
Use PRINTF_FORTIFY instead of _IO_FLAGS2_FORTIFY (bug 11319)
a call to sprintf or vsprintf with overlapping buffers, for instance
vsprintf (buf, "%sTEXT", buf), would append `TEXT' into buf, while a
call to snprintf or vsnprintf would override the contents of buf.
After the aforementioned commit, the behavior of sprintf and vsprintf
changed (so that they also override the contents of buf).
This patch reverts this behavioral change, because it will likely break
applications that rely on the previous behavior, even though it is
undefined by ISO C. As noted by Szabolcs Nagy, this is used in SPEC2017
507.cactuBSSN_r/src/PUGH/PughUtils.c:
sprintf(mess," Size:");
for (i=0;i<dim+1;i++)
{
sprintf(mess,"%s %d",mess,pughGH->GFExtras[dim]->nsize[i]);
}
More important to notice is the fact that the overwriting of the
destination buffer is not the only behavior affected by the refactoring.
Before the refactoring, sprintf and vsprintf would use _IO_str_jumps,
whereas __sprintf_chk and __vsprintf_chk would use _IO_str_chk_jumps.
After the refactoring, all use _IO_str_chk_jumps, which would make
sprintf and vsprintf report buffer overflows and terminate the program.
This patch also reverts this behavior, by installing the appropriate
jump table for each *sprintf functions.
Apart from reverting the changes, this patch adds a test case that has
the old behavior hardcoded, so that regressions are noticed if something
else unintentionally changes the behavior.
Tested for powerpc64le.
110 lines
3.8 KiB
C
110 lines
3.8 KiB
C
/* Copyright (C) 1993-2019 Free Software Foundation, Inc.
|
|
This file is part of the GNU C Library.
|
|
|
|
The GNU C Library is free software; you can redistribute it and/or
|
|
modify it under the terms of the GNU Lesser General Public
|
|
License as published by the Free Software Foundation; either
|
|
version 2.1 of the License, or (at your option) any later version.
|
|
|
|
The GNU C Library is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
Lesser General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Lesser General Public
|
|
License along with the GNU C Library; if not, see
|
|
<http://www.gnu.org/licenses/>.
|
|
|
|
As a special exception, if you link the code in this file with
|
|
files compiled with a GNU compiler to produce an executable,
|
|
that does not cause the resulting executable to be covered by
|
|
the GNU Lesser General Public License. This exception does not
|
|
however invalidate any other reasons why the executable file
|
|
might be covered by the GNU Lesser General Public License.
|
|
This exception applies to code released by its copyright holders
|
|
in files containing the exception. */
|
|
|
|
#include "libioP.h"
|
|
#include "strfile.h"
|
|
|
|
static int __THROW
|
|
_IO_str_chk_overflow (FILE *fp, int c)
|
|
{
|
|
/* If we get here, the user-supplied buffer would be overrun by
|
|
further output. */
|
|
__chk_fail ();
|
|
}
|
|
|
|
static const struct _IO_jump_t _IO_str_chk_jumps libio_vtable =
|
|
{
|
|
JUMP_INIT_DUMMY,
|
|
JUMP_INIT(finish, _IO_str_finish),
|
|
JUMP_INIT(overflow, _IO_str_chk_overflow),
|
|
JUMP_INIT(underflow, _IO_str_underflow),
|
|
JUMP_INIT(uflow, _IO_default_uflow),
|
|
JUMP_INIT(pbackfail, _IO_str_pbackfail),
|
|
JUMP_INIT(xsputn, _IO_default_xsputn),
|
|
JUMP_INIT(xsgetn, _IO_default_xsgetn),
|
|
JUMP_INIT(seekoff, _IO_str_seekoff),
|
|
JUMP_INIT(seekpos, _IO_default_seekpos),
|
|
JUMP_INIT(setbuf, _IO_default_setbuf),
|
|
JUMP_INIT(sync, _IO_default_sync),
|
|
JUMP_INIT(doallocate, _IO_default_doallocate),
|
|
JUMP_INIT(read, _IO_default_read),
|
|
JUMP_INIT(write, _IO_default_write),
|
|
JUMP_INIT(seek, _IO_default_seek),
|
|
JUMP_INIT(close, _IO_default_close),
|
|
JUMP_INIT(stat, _IO_default_stat),
|
|
JUMP_INIT(showmanyc, _IO_default_showmanyc),
|
|
JUMP_INIT(imbue, _IO_default_imbue)
|
|
};
|
|
|
|
/* This function is called by regular vsprintf with maxlen set to -1,
|
|
and by vsprintf_chk with maxlen set to the size of the output
|
|
string. In the former case, _IO_str_chk_overflow will never be
|
|
called; in the latter case it will crash the program if the buffer
|
|
overflows. */
|
|
|
|
int
|
|
__vsprintf_internal (char *string, size_t maxlen,
|
|
const char *format, va_list args,
|
|
unsigned int mode_flags)
|
|
{
|
|
_IO_strfile sf;
|
|
int ret;
|
|
|
|
#ifdef _IO_MTSAFE_IO
|
|
sf._sbf._f._lock = NULL;
|
|
#endif
|
|
_IO_no_init (&sf._sbf._f, _IO_USER_LOCK, -1, NULL, NULL);
|
|
/* When called from fortified sprintf/vsprintf, erase the destination
|
|
buffer and try to detect overflows. When called from regular
|
|
sprintf/vsprintf, do not erase the destination buffer, because
|
|
known user code relies on this behavior (even though its undefined
|
|
by ISO C), nor try to detect overflows. */
|
|
if ((mode_flags & PRINTF_CHK) != 0)
|
|
{
|
|
_IO_JUMPS (&sf._sbf) = &_IO_str_chk_jumps;
|
|
string[0] = '\0';
|
|
}
|
|
else
|
|
_IO_JUMPS (&sf._sbf) = &_IO_str_jumps;
|
|
_IO_str_init_static_internal (&sf, string,
|
|
(maxlen == -1) ? -1 : maxlen - 1,
|
|
string);
|
|
|
|
ret = __vfprintf_internal (&sf._sbf._f, format, args, mode_flags);
|
|
|
|
*sf._sbf._f._IO_write_ptr = '\0';
|
|
return ret;
|
|
}
|
|
|
|
int
|
|
__vsprintf (char *string, const char *format, va_list args)
|
|
{
|
|
return __vsprintf_internal (string, -1, format, args, 0);
|
|
}
|
|
|
|
ldbl_strong_alias (__vsprintf, _IO_vsprintf)
|
|
ldbl_weak_alias (__vsprintf, vsprintf)
|