Date: Thu, 3 Nov 2022 20:42:16 +0100 From: Markus Wichmann <nullplan@....net> To: musl@...ts.openwall.com Subject: Invalid read of nl_arg in printf_core() Hi all, reading some code today, I noticed undefined behavior in printf_core(). vfprintf() creates an array called nl_arg automatically and does not initialize it. That is fine, but it means that reads from each array member are undefined behavior until that member gets assigned a value. printf_core() gets the array passed in as argument, and will read it in both passes. Unfortunately, it only assigns values to the array at the end of the first pass. Therefore the reads from nl_arg in the first pass are undefined. I also noticed that the assignments to nl_type in the second pass, while not undefined behavior, are just futile, since nl_type is only read during the initialization of nl_arg, at the end of the first pass. Therefore we can simply alternate the assignments depending on what pass we are in. Please have a look at the attached patch. Ciao, Markus View attachment "0001-Prevent-invalid-reads-of-nl_arg-in-printf_core.patch" of type "text/x-diff" (2313 bytes)
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.