This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: [PATCH] Add format-security warning for scanf conversions with unspecified width
Joseph S. Myers wrote:
> Unlike with string conversions, this is not a security bug in the program
> for numeric conversions but a quality-of-implementation problem in glibc.
> Programs should avoid arbitrary limits where possible, which means not
> using widths for these formats, and either looping and increasing memory
> allocations or using glibc 'a' / TR 24731-2 and POSIX 'm' flags to make
> scanf allocate memory automatically, only using widths for string
> conversions if necessary or if the file format being read has a defined
> limit.
But in this case, it is not memory being allocated by the program (or
even managed by the program) at all, it's internal working storage in
scanf() itself.
> It is clear that the amount of storage needed for a numeric format should
> be bounded, although correct rounding for floating-point formats may
> require thousands of digits to be stored in some cases (but beyond a
> certain point it will only ever be necessary to know if some subsequent
> digit is nonzero). glibc should be improved to bound the storage used;
> for integer formats this shouldn't even be that hard.
Agreed; we'll try to address this with the glibc team. Thanks.
--
Kevin P. Fleming
Digium, Inc. | Director of Software Technologies
445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
skype: kpfleming | jabber: kpfleming@digium.com
Check us out at www.digium.com & www.asterisk.org