[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] new class of printf issue: int overflow

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] new class of printf issue: int overflow
From: Felix von Leitner <felix-fulldisclosure@xxxxxxx>
Date: Thu, 11 Jan 2007 15:21:20 +0100

Thus spake Thomas (tom@xxxxxxxxxxxxxxxxxx):
> > I just read some gnupg source code and stumbled upon their
> > vasprintf implementation.
> Did you told them about it?

I'm, uh, still working on that. :-)

> > But that got me thinking.  *printf return an int, and it's supposed to
> > be the number of chars written.  So a typical idiom is
> > 
> >   size_t memory_needed=snprintf(NULL,0,format_string,...);
> >   char* ptr=malloc(memory_needed+1);
> >   sprintf(ptr,format_string,...);
> This is nothing new.
> It is documented in the man-page and in the libc sources.

What is documented in what man page?  Neither the Linux man page nor the
SUSv3 say anything about integer overflows and what sprintf should
return in that case.

And, uh, glibc does not handle the issue, so the libc code does not
document anything either.

Felix

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] new class of printf issue: int overflow
  - From: Thomas

References:
- [Full-disclosure] new class of printf issue: int overflow
  - From: Felix von Leitner
- Re: [Full-disclosure] new class of printf issue: int overflow
  - From: Thomas

Prev by Date: Re: [Full-disclosure] new class of printf issue: int overflow
Next by Date: [Full-disclosure] Of interest maybe
Previous by thread: Re: [Full-disclosure] new class of printf issue: int overflow
Next by thread: Re: [Full-disclosure] new class of printf issue: int overflow
Index(es):
- Date
- Thread