From: Szabolcs Nagy <nsz@port70.net>
To: musl@lists.openwall.com
Subject: Re: Re: musl, printf out-of-memory test
Date: Wed, 20 Jun 2012 09:30:53 +0200 [thread overview]
Message-ID: <20120620073053.GX17860@port70.net> (raw)
In-Reply-To: <20120620015249.GT163@brightrain.aerifal.cx>
* Rich Felker <dalias@aerifal.cx> [2012-06-19 21:52:49 -0400]:
> On Tue, Jun 19, 2012 at 11:17:33PM +0200, Bruno Haible wrote:
> > Hope this helps.
>
> Yes, it helped a lot. Thanks! The problem was an obscure
> pointer-arithmetic overflow that could only happen in 32-bit binaries
> running on a 64-bit kernel where the stack pointer is near the 4GB
> boundary. This is why I couldn't reproduce it: I'm on a 32-bit
> kernel where the stack is at 3GB and there's no way an offset bounded
> by INT_MAX/9 could reach past 4GB. That's my excuse for why it was
> never noticed before, but it still doesn't justify the bug, which is a
> nasty instance of UB (pointer arithmetic outside array bounds).
>
> Anyway, it's fixed now.
>
you mentioned another potential out of bound pointer arithmetics there
but it's not yet fixed:
diff --git a/src/stdio/vfprintf.c b/src/stdio/vfprintf.c
index a3bf18d..116e1ce 100644
--- a/src/stdio/vfprintf.c
+++ b/src/stdio/vfprintf.c
@@ -319,7 +319,7 @@ static int fmt_fp(FILE *f, long double y, int w, int p, int fl, int t)
if (j < 9*(z-r-1)) {
uint32_t x;
/* We avoid C's broken division of negative numbers */
- d = r + 1 + (j+9*LDBL_MAX_EXP)/9 - LDBL_MAX_EXP;
+ d = r + 1 + ((j+9*LDBL_MAX_EXP)/9 - LDBL_MAX_EXP);
j += 9*LDBL_MAX_EXP;
j %= 9;
for (i=10, j++; j<9; i*=10, j++);
next prev parent reply other threads:[~2012-06-20 7:30 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20120609230541.47eac2de@newbook>
[not found] ` <4FD55156.7050302@cs.ucla.edu>
[not found] ` <20120611182202.1ee4d019@newbook>
2012-06-17 22:49 ` musl bugs found through gnulib Bruno Haible
2012-06-17 23:54 ` Rich Felker
2012-06-18 8:21 ` Szabolcs Nagy
2012-06-18 13:02 ` John Spencer
2012-06-18 14:55 ` Rich Felker
2012-06-18 15:26 ` Szabolcs Nagy
2012-06-18 16:00 ` Rich Felker
2012-06-19 13:26 ` John Spencer
2012-06-18 0:16 ` [musl] " idunham
2012-06-19 0:11 ` Rich Felker
2012-06-19 2:07 ` [musl] " Eric Blake
2012-06-19 2:52 ` Rich Felker
2012-06-19 11:03 ` musl, fdopen test Bruno Haible
2012-06-19 11:09 ` Jim Meyering
2012-06-20 20:52 ` Bruno Haible
2012-06-19 10:45 ` musl, printf out-of-memory test Bruno Haible
2012-06-19 19:16 ` Rich Felker
2012-06-19 20:04 ` Bruno Haible
2012-06-19 20:08 ` Rich Felker
2012-06-19 21:17 ` Bruno Haible
2012-06-20 1:52 ` Rich Felker
2012-06-20 7:30 ` Szabolcs Nagy [this message]
2012-06-20 9:35 ` Bruno Haible
2012-06-20 11:00 ` Jim Meyering
2012-06-21 19:58 ` Tom Tromey
2012-06-20 3:04 ` Re: musl bugs found through gnulib Rich Felker
2012-06-20 4:10 ` [musl] " Eric Blake
2012-06-20 13:27 ` Rich Felker
2012-06-20 7:32 ` Szabolcs Nagy
2012-06-22 10:39 ` grantpt test Bruno Haible
2012-07-02 22:33 ` [musl] Re: musl bugs found through gnulib Pádraig Brady
2012-06-20 19:28 ` Rich Felker
2012-06-21 2:21 ` Rich Felker
2012-06-21 8:52 ` [musl] " Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120620073053.GX17860@port70.net \
--to=nsz@port70.net \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).