vsnprintf broken

Johannes Hofmann Johannes.Hofmann at gmx.de
Wed May 14 08:47:53 PDT 2008 

I think I found the problem. At least the following patch taken
from FreeBSD fixes the issue for me:

Index: lib/libc/stdio/vsnprintf.c
===================================================================
RCS file: /home/dcvs/src/lib/libc/stdio/vsnprintf.c,v
retrieving revision 1.8
diff -r1.8 vsnprintf.c
53c53
<       char dummy;
---
>       char dummy[2];
63c63,65
<                 str = &dummy;
---
>               if (on > 0)
>                       *str = '\0';
>                 str = dummy;


The FreeBSD commit message is:

revision 1.22
date: 2003-07-02 00:08:44 -0700;  author: jkh;  state: Exp;  lines: +5 -3;
When size is 1 should just null terminate the string.  The dummy variable
is made an array of two, to explicitly avoid stack corruption due to
null-terminating (which is doesn't actually happen due to stack alignment
padding).

Submitted by: Ed Moy <emoy at apple.com>
Obtained from: Apple Computer, Inc.


Does anyone understand, why more than one byte may be written if n = 1?

Cheers,
Johannes


Simon 'corecode' Schubert <corecode at fs.ei.tum.de> wrote:
> [-- text/plain, encoding quoted-printable, charset: UTF-8, 29 lines --]
> 
> Simon 'corecode' Schubert wrote:
>> Johannes Hofmann wrote:
>>> Hello,
>>>
>>> I see crashes with a string handling library on DragonFly.
>>> The problem can be reduced to the test program below. It crashes on
>>> DragonFly when compiled with "gcc -O2 -o foo foo.c". Without -O2 it 
>>> runs fine. No problems on Linux with or without -O2.
>>> Can anyone spot the problem? I think its related to the use of
>>> va_copy().
>> 
>> No, the problem is that gcc uses %ebx after a function call, which it is
>> not allowed to do:
> [snip]
>> Or does the ABI dictate that %ebx needs to be restored?  Seems that
>> linux/glibc doesn't clobber ebx.
> 
> okay, I am wrong here.  %ebx is supposed to be saved and is also being
> saved by vsnprinf.  gcc is good.
> 
> So this is actually a case of stack smashing.  Have fun finding the bug
> in vsnprintf or in your code :)
> 
>> cheers
>>   simon
> 
> 
> 
> [-- application/pgp-signature, encoding 7bit, 9 lines, name: signature.asc --]
> [-- Description: OpenPGP digital signature --]
>

More information about the Users mailing list