From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 28011 invoked from network); 14 Apr 2023 14:56:27 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 14 Apr 2023 14:56:27 -0000 Received: (qmail 29747 invoked by uid 550); 14 Apr 2023 14:56:22 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 28608 invoked from network); 14 Apr 2023 14:56:21 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1681484169; x=1684076169; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dCkeWXQ2poDf2UUWD7v2+Fmy94IWceHpEkrBU1YnYYg=; b=ipnnNJV0h3lgYl4SvJE+Tifbrkgzq/a8ikUgu6h6p6BzVdn1yYY8X9R+8Z/32CJvnq AndA5xpWOIdai3pePhyxy7ckMPXnaYIeS5EZ+nuBaOLUFS4ELRHzuor9vo3epOO5CPcO 7TeJZGUW/lg5Hwjfl/DuheBTBhWqYR0aOr2LVfHbsgn3x8llT6P136Kxn8tUhlCz5KfB yGFMs52ABL/vTdtDls3INOESfSXUmmQpSM8vxVd7+KjwCYsItXO1YjbsXFuj/LHYQlMZ 4TXJPm/6zipGV1Wdq5dw0zF5n05Z3QTbkeAaF7/Y7WYMTsvvGvk6uH0VBIxLuHclT9hL r6FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1681484169; x=1684076169; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=dCkeWXQ2poDf2UUWD7v2+Fmy94IWceHpEkrBU1YnYYg=; b=TDcEsix0TxRU7m1XZkgNR3xfDGFuOL1JrDW3GDNfZKT6OEXtAXQgkNh6R3If28O8+N eTvYXtV71fmmHqJAAQmj8x+DpBbcWQWnYArkxKN6E3QYdufdr4XcxJkjno37dejdXQEg dW/PGYsvhm9RQeT8dCrEF34gpJMkhLyCvyylVNDDCB0EVXMY906ITsaauYU11Bu7NeCH CKpLBKg0fio4LwVTuelOQb2fUVDPoYSqwdkC/t40bLzc9OJ9AGc7VBBCxY+ZlT6F15/c M03R7UvDrL5GOJK3N/mMH5q1bLWd2aXu61Hitk22BoWf+cJvYZy1gDMrI3QlOGh97yAP H0wg== X-Gm-Message-State: AAQBX9dgr1nHhTwRIFNvVf0AI3ySRbz3OqxhGefOejoDcLBI3uOoNhFs gKuRFqbvkmC/2otrw6e/MiANCZwm3LDZXg== X-Google-Smtp-Source: AKy350ZPSXqhEI2vgmUcMSGxj1BekOfPL9w1808oxRDXlYWUkf7bXj16kI6kvYp/XVbrhLsi6QQqUw== X-Received: by 2002:a17:906:2a97:b0:930:b130:b7b with SMTP id l23-20020a1709062a9700b00930b1300b7bmr6356102eje.6.1681484169344; Fri, 14 Apr 2023 07:56:09 -0700 (PDT) From: Gabriel Ravier To: musl@lists.openwall.com Cc: Gabriel Ravier Date: Fri, 14 Apr 2023 16:55:42 +0200 Message-Id: <20230414145543.2877269-1-gabravier@gmail.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [musl] [PATCH] fix wide printf numbered argument buffer overflow The nl_type and nl_arg arrays defined in vfwprintf may be accessed with an index up to and including NL_ARGMAX, but they are only of size NL_ARGMAX, meaning they may be written to or read from 1 element too far. For example, the following program: #include #include #include #include int main(void) { char buffer[500]; for (size_t i = 0; i < sizeof(buffer); ++i) buffer[i] = (i % 3) ? 0 : 42; wchar_t result; int ret = swprintf(&result, 1, L"%1$s", ""); assert(ret != -1); } evidences the bug, by sometimes mistakenly failing the assertion and always triggering a warning under valgrind (the behavior is highly dependent on build configuration - I could only reproduce the assert failure with GCC 12.2.1 on a very specific system - but the bug is still there, as evidenced by the warning valgrind always emits) This patch fixes this. --- src/stdio/vfwprintf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c index 18784113..53697701 100644 --- a/src/stdio/vfwprintf.c +++ b/src/stdio/vfwprintf.c @@ -347,8 +347,8 @@ overflow: int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap) { va_list ap2; - int nl_type[NL_ARGMAX] = {0}; - union arg nl_arg[NL_ARGMAX]; + int nl_type[NL_ARGMAX+1] = {0}; + union arg nl_arg[NL_ARGMAX+1]; int olderr; int ret; -- 2.39.2