]> git.ipfire.org Git - thirdparty/linux.git/commit
perf intel-pt: Fix snprintf size tracking bug in insn decoder
authorArnaldo Carvalho de Melo <acme@redhat.com>
Mon, 8 Jun 2026 00:06:54 +0000 (21:06 -0300)
committerArnaldo Carvalho de Melo <acme@redhat.com>
Wed, 10 Jun 2026 21:56:01 +0000 (18:56 -0300)
commitb6bb3b005dcdd960b8e0b7f9d6869132b3de08d5
tree29ea398928f8f972cf8743b921c7e555626049dc
parentb8acc68f1382a3f380a0e7320a95d328ac5e9027
perf intel-pt: Fix snprintf size tracking bug in insn decoder

dump_insn() tracks remaining buffer space with a 'left' variable,
but the loop subtracts the cumulative offset 'n' each iteration
instead of just the per-iteration delta:

    n += snprintf(x->out + n, left, "%02x ", inbuf[i]);
    left -= n;  /* BUG: n is cumulative, not the delta */

After two iterations left goes massively negative, wrapping to a
huge value when passed as size_t to snprintf(), disabling all bounds
checking for the rest of the loop.

Switch to scnprintf() accumulation using sizeof(x->out) - n as the
remaining space, which is always correct and eliminates the separate
'left' variable entirely.

Fixes: 48d02a1d5c137d36 ("perf script: Add 'brstackinsn' for branch stacks")
Reported-by: sashiko-bot <sashiko-bot@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Assisted-by: Claude:claude-opus-4.6
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
tools/perf/util/intel-pt-decoder/intel-pt-insn-decoder.c