[thirdparty/glibc.git] / stdio-common / bug-vfprintf-nargs.c

/* Test for vfprintf nargs allocation overflow (BZ #13656).
   Copyright (C) 2012-2019 Free Software Foundation, Inc.
   This file is part of the GNU C Library.
   Contributed by Kees Cook <keescook@chromium.org>, 2012.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <https://www.gnu.org/licenses/>.  */

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#include <inttypes.h>
#include <string.h>
#include <signal.h>

static int
format_failed (const char *fmt, const char *expected)
{
  char output[80];

  printf ("%s : ", fmt);

  memset (output, 0, sizeof output);
  /* Having sprintf itself detect a failure is good.  */
  if (sprintf (output, fmt, 1, 2, 3, "test") > 0
      && strcmp (output, expected) != 0)
    {
      printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
      return 1;
    }
  puts ("ok");
  return 0;
}

static int
do_test (void)
{
  int rc = 0;
  char buf[64];

  /* Regular positionals work.  */
  if (format_failed ("%1$d", "1") != 0)
    rc = 1;

  /* Regular width positionals work.  */
  if (format_failed ("%1$*2$d", " 1") != 0)
    rc = 1;

  /* Positional arguments are constructed via read_int, so nargs can only
     overflow on 32-bit systems.  On 64-bit systems, it will attempt to
     allocate a giant amount of memory and possibly crash, which is the
     expected situation.  Since the 64-bit behavior is arch-specific, only
     test this on 32-bit systems.  */
  if (sizeof (long int) == 4)
    {
      sprintf (buf, "%%1$d %%%" PRIdPTR "$d",
	       (intptr_t) (UINT32_MAX / sizeof (int)));
      if (format_failed (buf, "1 %$d") != 0)
        rc = 1;
    }

  return rc;
}

#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"
Commit	Line	Data
7c1f4834	1	/* Test for vfprintf nargs allocation overflow (BZ #13656).
04277e02	2	Copyright (C) 2012-2019 Free Software Foundation, Inc.
7c1f4834 KC	3	This file is part of the GNU C Library.
	4	Contributed by Kees Cook <keescook@chromium.org>, 2012.
	5
	6	The GNU C Library is free software; you can redistribute it and/or
	7	modify it under the terms of the GNU Lesser General Public
	8	License as published by the Free Software Foundation; either
	9	version 2.1 of the License, or (at your option) any later version.
	10
	11	The GNU C Library is distributed in the hope that it will be useful,
	12	but WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public
c524201a	17	License along with the GNU C Library; if not, see
5a82c748	18	<https://www.gnu.org/licenses/>. */
7c1f4834 KC	19
	20	#include <stdio.h>
	21	#include <stdlib.h>
	22	#include <stdint.h>
	23	#include <unistd.h>
	24	#include <inttypes.h>
	25	#include <string.h>
	26	#include <signal.h>
	27
	28	static int
	29	format_failed (const char fmt, const char expected)
	30	{
	31	char output[80];
	32
	33	printf ("%s : ", fmt);
	34
	35	memset (output, 0, sizeof output);
	36	/* Having sprintf itself detect a failure is good. */
	37	if (sprintf (output, fmt, 1, 2, 3, "test") > 0
	38	&& strcmp (output, expected) != 0)
	39	{
	40	printf ("FAIL (output '%s' != expected '%s')\n", output, expected);
	41	return 1;
	42	}
	43	puts ("ok");
	44	return 0;
	45	}
	46
	47	static int
	48	do_test (void)
	49	{
	50	int rc = 0;
	51	char buf[64];
	52
	53	/* Regular positionals work. */
	54	if (format_failed ("%1$d", "1") != 0)
	55	rc = 1;
	56
	57	/* Regular width positionals work. */
	58	if (format_failed ("%1$*2$d", " 1") != 0)
	59	rc = 1;
	60
	61	/* Positional arguments are constructed via read_int, so nargs can only
	62	overflow on 32-bit systems. On 64-bit systems, it will attempt to
	63	allocate a giant amount of memory and possibly crash, which is the
	64	expected situation. Since the 64-bit behavior is arch-specific, only
	65	test this on 32-bit systems. */
	66	if (sizeof (long int) == 4)
	67	{
d22ce01b SL	68	sprintf (buf, "%%1$d %%%" PRIdPTR "$d",
d22ce01b SL	69	(intptr_t) (UINT32_MAX / sizeof (int)));
7c1f4834 KC	70	if (format_failed (buf, "1 %$d") != 0)
	71	rc = 1;
	72	}
	73
	74	return rc;
	75	}
	76
	77	#define TEST_FUNCTION do_test ()
	78	#include "../test-skeleton.c"