This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
Re: [PATCH] - improve sprintf buffer overflow detection (middle-end/49905)
On Wed, 24 Aug 2016, Martin Sebor wrote:
> No. I recall having seen Glibc fail with ENOMEM years ago when
> formatting a floating point number to a very large precision but
> I haven't seen any implementation fail. I haven't yet looked to
> see if the Glibc failure can still happen. My reading of C and
> POSIX is that snprintf is only allowed to fail due to an encoding
> error, not because it runs out of memory, so such a failure would
> seem like a bug.
It's a general ISO C principle that there may be implementation limits,
including in areas where no specific minimum limit is given in the
standard, and even where there is a mimimum, that doesn't mean that every
possible program that does not exceed that minimum does not exceed the
limit in that area. In this case, a specific minimum limit is given,
7.21.6.1#15 "The number of characters that can be produced by any single
conversion shall be at least 4095.". That is, libc can't reject all cases
of larger results, but it's possible that if memory is short then some
cases with shorter results could still fail.
It's also a general POSIX principle that functions may have additional
error conditions beyond those given in the standard, when it's possible
for them to return errors at all.
(Since people may wish to use snprintf / dprintf in signal handlers,
avoiding malloc where possible in those functions is still a good idea.)
> > * It looks like you convert to (signed/unsigned) char for %hh formats,
> > etc. Now, there is the possibility that the value passed was actually of
> > type int, and out of range for those types. And there is the possibility
> > that the implementation might not itself convert those values to char /
> > short (glibc didn't until 2006) - passing a value outside the range of the
> > relevant type seems likely undefined behavior, so implementations may not
> > actually need to convert, and there's an open question about whether the
> > value actually needs to have been promoted from char/short in the caller
> > (see my <https://www.polyomino.org.uk/computer/c/pre-dr-6a.txt>). I don't
> > know if you wish to allow at all for this issue.
>
> It sounds like the concern is that for the following call (when
> UCHAR_MAX is 255):
>
> sprintf (d, "%hhu", 1000)
>
> some implementation (an old version of Glibc?) may have actually
> produced four digits and returned 4 on the basis of C saying that
> the %hhu argument must be an unsigned char (promoted to int) and
> thus the behavior of the call being undefined.
Yes.
--
Joseph S. Myers
joseph@codesourcery.com