This is the mail archive of the
libstdc++@gcc.gnu.org
mailing list for the libstdc++ project.
Re: Debug mode output broken
On Fri, Aug 06, 2004 at 11:57:04AM +0100, Jonathan Wakely wrote:
> The reason it works on linux and not elsewhere seems to be this:
>
> template<typename _Tp>
> void
> _Error_formatter::_M_format_word(char* __buf,
> int __n __attribute__((__unused__)),
> const char* __fmt, _Tp __s) const
> {
> #ifdef _GLIBCXX_USE_C99
> std::snprintf(__buf, __n, __fmt, __s);
> #else
> std::sprintf(__buf, __fmt, __s);
> #endif
> }
>
> If sprintf is used the whole string is copied to the buffer, not just
> the first word (or more correctly, the first __n chars).
Is it possible to inject strings into the error messages used by the
debug mode? If so it would be possible to cause a buffer overflow here.
An inadvertent change to a message that makes it longer than the
128-byte buffer would also cause an overflow. Badness.
e.g. __gnu_debug::_S_debug_messages[10] :
"elements in iterator range [%1.name;, %2.name;)"
" are not sorted according to the predicate %3;"
How long can the three params here get when expanded?
54 chars or more would cause problems IIUC.
jon
--
Horms and I discussed this, and we came up with two categories of people.
People who use vim, and people who don't realize that they could be using vim.
- Geoff Harrison