retitle 794947 printf(3): possible integer overflow in make_message
example
severity 794947 wishlist
tags 794947 + confirmed
tags 794947 + upstream
forwarded 794947 linux-man@xxxxxxxxxxxxxxx
stop
-----
Hello Walter,
Jakub Wilk reported a possible integer overflow in make_message example
:
The example in the printf(3) manpages looks like this (with boring
parts
omitted):
int n;
/* ... */
n = vsnprintf(p, size, fmt, ap);
/* ... */
if (n < 0) {
/* ... */
return NULL;
}
/* ... */
size = n + 1;
But vsnprintf could return INT_MAX, which would then cause "n + 1" to
overflow.
(AFAICS, the glibc vsnprintf implementation never returns INT_MAX, but
it could in principle.)
I'd suggest changing "n < 0" to "n < 0 || n == INT_MAX".
Since this example has been modified by you (Walter Harms), after the
bug #794947 [1] has been reported, I wanted to ask your opinion on the
best option.
Should we add this test to good practice, or rather a comment to mention
that the case is not taken into account because the example uses glibc?
Regards,
[1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794947
--
Stéphane Aulery
--
To unsubscribe from this list: send the line "unsubscribe linux-man" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
