bin/75638: sscanf %lld broken on 4.x

Przemyslaw Frasunek venglin at freebsd.lublin.pl
Wed Dec 29 15:20:31 PST 2004


The following reply was made to PR bin/75638; it has been noted by GNATS.

From: Przemyslaw Frasunek <venglin at freebsd.lublin.pl>
To: freebsd-gnats-submit at FreeBSD.org
Cc:  
Subject: Re: bin/75638: sscanf %lld broken on 4.x
Date: Thu, 30 Dec 2004 00:16:34 +0100

  > sscanf(s, "%lld", &l) will not set l to valid value if l was previously
  > not zero.
 
 well, not exactly non-zero. the problem occurs when l if initialized with value 
 greater than 0xffffffff:
 
 lagoon:venglin:~> cat test.c
 #include <stdio.h>
 
 int main(void) {
          //long long value = 0x100000000L;
          long long value = 0xffffffff;
          char *s = "10";
 
          fprintf(stderr, "%lld %s\n", value, s);
          sscanf(s, "%lld", &value);
          fprintf(stderr, "%lld %s\n", value, s);
 }
 lagoon:venglin:~> cc -o test test.c
 lagoon:venglin:~> ./test
 4294967295 10
 10 10
 
 
 lagoon:venglin:~> cat test.c
 #include <stdio.h>
 
 int main(void) {
          long long value = 0x100000000L;
          //long long value = 0xffffffff;
          char *s = "10";
 
          fprintf(stderr, "%lld %s\n", value, s);
          sscanf(s, "%lld", &value);
          fprintf(stderr, "%lld %s\n", value, s);
 }
 lagoon:venglin:~> cc -o test test.c
 lagoon:venglin:~> ./test
 4294967296 10
 4294967306 10
 
 it looks like classical unsigned integer overflow, which could have some yet 
 unknown security implications.
 
 -- 
 * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
 * JID: venglin at jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *


More information about the freebsd-bugs mailing list