[prev in list] [next in list] [prev in thread] [next in thread] 

List:       busybox
Subject:    Re: [PATCH] printf: fix format string sanity check
From:       Denys Vlasenko <vda.linux () googlemail ! com>
Date:       2017-07-18 14:02:41
Message-ID: CAK1hOcOGrYCx9jZkR=b14DcdkxVCVXW=9_xQPbWwEquuqDzuwA () mail ! gmail ! com
[Download RAW message or body]

Applied, thanks!

On Tue, Jul 18, 2017 at 10:33 AM, Ron Yorston <rmy@pobox.com> wrote:
> One of the tests for printf checks for an invalid bare '%' in the
> format string:
>
>    $ busybox printf '%' a b c
>    printf: %: invalid format
>
> On x86_64 a slightly different test doesn't work correctly:
>
>    $ busybox printf '%' d e f
>    printf: invalid number 'd'
>    printf: invalid number 'e'
>    printf: invalid number 'f'
>
> On other platforms the test fails randomly depending on how the
> arguments are laid out in memory.
>
> There are two places in the code where strchr is used to determine if
> a character in the format string is valid.  However, strchr also returns
> a valid pointer if the character being searched for is the null terminator
> thus causing the code to incorrectly suppose that a valid character has
> been found.
>
> Add explicit checks for the null terminator.
>
> Signed-off-by: Ron Yorston <rmy@pobox.com>
> ---
>  coreutils/printf.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/coreutils/printf.c b/coreutils/printf.c
> index bc22e0ee7..65bb5a935 100644
> --- a/coreutils/printf.c
> +++ b/coreutils/printf.c
> @@ -305,7 +305,7 @@ static char **print_formatted(char *f, char **argv, int *conv_err)
>                                 }
>                                 break;
>                         }
> -                       if (strchr("-+ #", *f)) {
> +                       if (*f && strchr("-+ #", *f)) {
>                                 ++f;
>                                 ++direc_length;
>                         }
> @@ -348,7 +348,7 @@ static char **print_formatted(char *f, char **argv, int *conv_err)
>                                 static const char format_chars[] ALIGN1 = "diouxXfeEgGcs";
>                                 char *p = strchr(format_chars, *f);
>                                 /* needed - try "printf %" without it */
> -                               if (p == NULL) {
> +                               if (p == NULL || *f == '\0') {
>                                         bb_error_msg("%s: invalid format", direc_start);
>                                         /* causes main() to exit with error */
>                                         return saved_argv - 1;
> --
> 2.13.3
>
> _______________________________________________
> busybox mailing list
> busybox@busybox.net
> http://lists.busybox.net/mailman/listinfo/busybox
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic