Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 3 Dec 2023 11:28:43 -0500
From: Morten Welinder <>
Subject: stdio/vfprintf.c

Looking at
I see a few issues:

1. If "i=-1" in getint on line 424 is reached and there are more
digits then the next overflow check will itself overflow in

2. The getint call on line 504 doesn't check for overflow.  If it did,
getint could just return -1 right away on overflow.

3. The "w=-w;" on line 488 doesn't check for overflow which will
happen for INT_MIN.

4. The length calculation for "%s" on line 600 implies that strings
longer than 2G cannot be printed.  It looks deliberate, but is it

5. And speaking of plain "%s" with no width or precision, why is the
string length even calculated first?  Walking the string twice seems

6. This comment and check seems out of date:
/* This error is only specified for snprintf, but since it's
* unspecified for other forms, do the same. Stop immediately
* on overflow; otherwise %n could produce wrong results. */
if (l > INT_MAX - cnt) goto overflow;

Since %n allows size modifiers it can already produce wrong results.
Right right place to check would be at %n handling.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.