Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Fri, 14 Apr 2023 16:55:42 +0200
From: Gabriel Ravier <gabravier@...il.com>
To: musl@...ts.openwall.com
Cc: Gabriel Ravier <gabravier@...il.com>
Subject: [PATCH] fix wide printf numbered argument buffer overflow

The nl_type and nl_arg arrays defined in vfwprintf may be accessed
with an index up to and including NL_ARGMAX, but they are only of size
NL_ARGMAX, meaning they may be written to or read from 1 element too
far.

For example, the following program:

 #include <assert.h>
 #include <stdio.h>
 #include <string.h>
 #include <wchar.h>

int main(void) {
   char buffer[500];
   for (size_t i = 0; i < sizeof(buffer); ++i)
      buffer[i] = (i % 3) ? 0 : 42;

   wchar_t result;

   int ret = swprintf(&result, 1, L"%1$s", "");
   assert(ret != -1);
}

evidences the bug, by sometimes mistakenly failing the assertion
and always triggering a warning under valgrind (the behavior is highly
dependent on build configuration - I could only reproduce the assert
failure with GCC 12.2.1 on a very specific system - but the bug is
still there, as evidenced by the warning valgrind always emits)

This patch fixes this.
---
 src/stdio/vfwprintf.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c
index 18784113..53697701 100644
--- a/src/stdio/vfwprintf.c
+++ b/src/stdio/vfwprintf.c
@@ -347,8 +347,8 @@ overflow:
 int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
 {
 	va_list ap2;
-	int nl_type[NL_ARGMAX] = {0};
-	union arg nl_arg[NL_ARGMAX];
+	int nl_type[NL_ARGMAX+1] = {0};
+	union arg nl_arg[NL_ARGMAX+1];
 	int olderr;
 	int ret;
 
-- 
2.39.2

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.