Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 3 Nov 2022 20:42:16 +0100
From: Markus Wichmann <>
Subject: Invalid read of nl_arg in printf_core()

Hi all,

reading some code today, I noticed undefined behavior in printf_core().
vfprintf() creates an array called nl_arg automatically and does not
initialize it. That is fine, but it means that reads from each array
member are undefined behavior until that member gets assigned a value.

printf_core() gets the array passed in as argument, and will read it in
both passes. Unfortunately, it only assigns values to the array at the
end of the first pass. Therefore the reads from nl_arg in the first pass
are undefined.

I also noticed that the assignments to nl_type in the second pass, while
not undefined behavior, are just futile, since nl_type is only read
during the initialization of nl_arg, at the end of the first pass.
Therefore we can simply alternate the assignments depending on what pass
we are in. Please have a look at the attached patch.


View attachment "0001-Prevent-invalid-reads-of-nl_arg-in-printf_core.patch" of type "text/x-diff" (2313 bytes)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.