bin/181154: snprintf with out of bounds positional arguments results in segfault
Garrett Cooper
yaneurabeya at gmail.com
Fri Aug 9 01:00:00 UTC 2013
>Number: 181154
>Category: bin
>Synopsis: snprintf with out of bounds positional arguments results in segfault
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Aug 09 01:00:00 UTC 2013
>Closed-Date:
>Last-Modified:
>Originator: Garrett Cooper
>Release: 10-CURRENT
>Organization:
EMC Isilon
>Environment:
>Description:
The following piece of test code...
ATF_TC(snprintf_posarg_error);
ATF_TC_HEAD(snprintf_posarg_error, tc)
{
atf_tc_set_md_var(tc, "descr", "test for positional arguments out "
"of bounds");
}
ATF_TC_BODY(snprintf_posarg_error, tc)
{
char s[16], fmt[32];
snprintf(fmt, sizeof(fmt), "%%%zu$d", SIZE_MAX / sizeof(size_t));
ATF_CHECK(snprintf(s, sizeof(s), fmt, -23) == -1);
}
Produces this segfault:
tc-start: 1376007948.899132, snprintf_posarg_error
tc-se:Test program crashed; attempting to get stack trace
tc-se:Core was generated by `t_printf'.
tc-se:Program terminated with signal 11, Segmentation fault.
tc-se:#0 0x28186bc3 in vfprintf () from /lib/libc.so.7
tc-se:Stack trace complete
tc-end: 1376007948.947316, snprintf_posarg_error, failed, Test program received signal 11 (core dumped)
>How-To-Repeat:
>Fix:
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list