]>
Commit | Line | Data |
---|---|---|
7c1f4834 | 1 | /* Test for vfprintf nargs allocation overflow (BZ #13656). |
04277e02 | 2 | Copyright (C) 2012-2019 Free Software Foundation, Inc. |
7c1f4834 KC |
3 | This file is part of the GNU C Library. |
4 | Contributed by Kees Cook <keescook@chromium.org>, 2012. | |
5 | ||
6 | The GNU C Library is free software; you can redistribute it and/or | |
7 | modify it under the terms of the GNU Lesser General Public | |
8 | License as published by the Free Software Foundation; either | |
9 | version 2.1 of the License, or (at your option) any later version. | |
10 | ||
11 | The GNU C Library is distributed in the hope that it will be useful, | |
12 | but WITHOUT ANY WARRANTY; without even the implied warranty of | |
13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
14 | Lesser General Public License for more details. | |
15 | ||
16 | You should have received a copy of the GNU Lesser General Public | |
c524201a | 17 | License along with the GNU C Library; if not, see |
5a82c748 | 18 | <https://www.gnu.org/licenses/>. */ |
7c1f4834 KC |
19 | |
20 | #include <stdio.h> | |
21 | #include <stdlib.h> | |
22 | #include <stdint.h> | |
23 | #include <unistd.h> | |
24 | #include <inttypes.h> | |
25 | #include <string.h> | |
26 | #include <signal.h> | |
27 | ||
28 | static int | |
29 | format_failed (const char *fmt, const char *expected) | |
30 | { | |
31 | char output[80]; | |
32 | ||
33 | printf ("%s : ", fmt); | |
34 | ||
35 | memset (output, 0, sizeof output); | |
36 | /* Having sprintf itself detect a failure is good. */ | |
37 | if (sprintf (output, fmt, 1, 2, 3, "test") > 0 | |
38 | && strcmp (output, expected) != 0) | |
39 | { | |
40 | printf ("FAIL (output '%s' != expected '%s')\n", output, expected); | |
41 | return 1; | |
42 | } | |
43 | puts ("ok"); | |
44 | return 0; | |
45 | } | |
46 | ||
47 | static int | |
48 | do_test (void) | |
49 | { | |
50 | int rc = 0; | |
51 | char buf[64]; | |
52 | ||
53 | /* Regular positionals work. */ | |
54 | if (format_failed ("%1$d", "1") != 0) | |
55 | rc = 1; | |
56 | ||
57 | /* Regular width positionals work. */ | |
58 | if (format_failed ("%1$*2$d", " 1") != 0) | |
59 | rc = 1; | |
60 | ||
61 | /* Positional arguments are constructed via read_int, so nargs can only | |
62 | overflow on 32-bit systems. On 64-bit systems, it will attempt to | |
63 | allocate a giant amount of memory and possibly crash, which is the | |
64 | expected situation. Since the 64-bit behavior is arch-specific, only | |
65 | test this on 32-bit systems. */ | |
66 | if (sizeof (long int) == 4) | |
67 | { | |
d22ce01b SL |
68 | sprintf (buf, "%%1$d %%%" PRIdPTR "$d", |
69 | (intptr_t) (UINT32_MAX / sizeof (int))); | |
7c1f4834 KC |
70 | if (format_failed (buf, "1 %$d") != 0) |
71 | rc = 1; | |
72 | } | |
73 | ||
74 | return rc; | |
75 | } | |
76 | ||
77 | #define TEST_FUNCTION do_test () | |
78 | #include "../test-skeleton.c" |