From beaa94931345271fd288480d7ea952f9551ef991 Mon Sep 17 00:00:00 2001 From: =?utf8?q?P=C3=A1draig=20Brady?= Date: Wed, 18 May 2011 00:01:55 +0100 Subject: [PATCH] printf: fix an out-of-bounds memory access * src/printf.c (STRTOX): Don't access memory after a string containing a single quote character. * tests/misc/printf: Add tests for various combinations of single quote characters combined with a numeric format. * THANKS.in: Add bug reporter. * NEWS: Mention the fix. Reported-by: Paul Marinescu --- NEWS | 5 +++++ THANKS.in | 1 + src/printf.c | 2 +- tests/misc/printf | 23 +++++++++++++++++++++++ 4 files changed, 30 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 7a7f7612b9..88593ab65e 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,11 @@ GNU coreutils NEWS -*- outline -*- * Noteworthy changes in release ?.? (????-??-??) [?] +** Bug fixes + + printf '%d' '"' no longer accesses out-of-bounds memory in the diagnostic. + [bug introduced in sh-utils-1.16] + ** New features split accepts a new --filter=CMD option. With it, split filters output diff --git a/THANKS.in b/THANKS.in index 3156834548..9120ba304f 100644 --- a/THANKS.in +++ b/THANKS.in @@ -449,6 +449,7 @@ Patrick Mauritz oxygene@studentenbude.ath.cx Paul D. Smith psmith@gnu.org Paul Ghaleb paul.ghaleb@st.com Paul Jarc prj@po.cwru.edu +Paul Marinescu paul.marinescu@imperial.ac.uk Paul Nevai nevai@ops.mps.ohio-state.edu Paul Sauer paul@alexa.com Paul Slootman paul@debian.org diff --git a/src/printf.c b/src/printf.c index e05947c756..24070b8926 100644 --- a/src/printf.c +++ b/src/printf.c @@ -160,7 +160,7 @@ FUNC_NAME (char const *s) \ char *end; \ TYPE val; \ \ - if (*s == '\"' || *s == '\'') \ + if ((*s == '\"' || *s == '\'') && *(s + 1)) \ { \ unsigned char ch = *++s; \ val = ch; \ diff --git a/tests/misc/printf b/tests/misc/printf index 64047614b6..fd1275dfef 100755 --- a/tests/misc/printf +++ b/tests/misc/printf @@ -96,4 +96,27 @@ EOF compare out exp || fail=1 +# Verify handling of single quote chars (\' or \") + +"$prog" '%d\n' '"a' >out 2>err # valid +"$prog" '%d\n' '"a"' >>out 2>>err # invalid +"$prog" '%d\n' '"' >>out 2>>err # invalid +"$prog" '%d\n' 'a' >>out 2>>err # invalid + +cat < exp +97 +97 +0 +0 +EOF + +cat < exp_err +$prog: warning: ": character(s) following character constant have been ignored +$prog: ": expected a numeric value +$prog: a: expected a numeric value +EOF + +compare out exp || fail=1 +compare err exp_err || fail=1 + Exit $fail -- 2.47.2