Re: new class of printf issue: int overflow

[Thomas <tom () electric-sheep org>]

Hello Felix.


Am Donnerstag, 11. Januar 2007 02:00 schrieb Felix von Leitner:
> This is about two issues.  First: abs within vasprintf.
>
> I just read some gnupg source code and stumbled upon their
> vasprintf implementation.

Did you told them about it?


> Second issue: int overflow in *printf:
>
> But that got me thinking.  *printf return an int, and it's supposed to
> be the number of chars written.  So a typical idiom is
>
>   size_t memory_needed=snprintf(NULL,0,format_string,...);
>   char* ptr=malloc(memory_needed+1);
>   sprintf(ptr,format_string,...);

This is nothing new.
It is documented in the man-page and in the libc sources.

By coincidence I found such a bug while doing a code review
a few weeks ago. But in this case the return value was used
in calculating an pointer offset and using this pointer again
in sprintf(). At the end the result was an overflow. :-)

Bye
Thomas

-- 
Tom <tom () electric-sheep org>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/