Johannes.Hofmann at gmx.de
Wed May 14 08:47:53 PDT 2008
I think I found the problem. At least the following patch taken
from FreeBSD fixes the issue for me:
RCS file: /home/dcvs/src/lib/libc/stdio/vsnprintf.c,v
retrieving revision 1.8
diff -r1.8 vsnprintf.c
< char dummy;
> char dummy;
< str = &dummy;
> if (on > 0)
> *str = '\0';
> str = dummy;
The FreeBSD commit message is:
date: 2003-07-02 00:08:44 -0700; author: jkh; state: Exp; lines: +5 -3;
When size is 1 should just null terminate the string. The dummy variable
is made an array of two, to explicitly avoid stack corruption due to
null-terminating (which is doesn't actually happen due to stack alignment
Submitted by: Ed Moy <emoy at apple.com>
Obtained from: Apple Computer, Inc.
Does anyone understand, why more than one byte may be written if n = 1?
Simon 'corecode' Schubert <corecode at fs.ei.tum.de> wrote:
> [-- text/plain, encoding quoted-printable, charset: UTF-8, 29 lines --]
> Simon 'corecode' Schubert wrote:
>> Johannes Hofmann wrote:
>>> I see crashes with a string handling library on DragonFly.
>>> The problem can be reduced to the test program below. It crashes on
>>> DragonFly when compiled with "gcc -O2 -o foo foo.c". Without -O2 it
>>> runs fine. No problems on Linux with or without -O2.
>>> Can anyone spot the problem? I think its related to the use of
>> No, the problem is that gcc uses %ebx after a function call, which it is
>> not allowed to do:
>> Or does the ABI dictate that %ebx needs to be restored? Seems that
>> linux/glibc doesn't clobber ebx.
> okay, I am wrong here. %ebx is supposed to be saved and is also being
> saved by vsnprinf. gcc is good.
> So this is actually a case of stack smashing. Have fun finding the bug
> in vsnprintf or in your code :)
> [-- application/pgp-signature, encoding 7bit, 9 lines, name: signature.asc --]
> [-- Description: OpenPGP digital signature --]
More information about the Users