Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2

Bruno Haible Thu, 18 Oct 2007 04:13:40 -0700

Jim Meyering wrote:
>     $ ./seq 1
>     *** %n in writable segment detected ***


The use of format strings in writable memory is valid. A use case is, for
example, in
    printf (gettext ("foo %d bar %x %n"), ...);

When the translator's and the user's charset encoding are not the same,
or when mmap() is not available, the format string returned by the gettext
function will be in writable memory.

The distinction between read-only and writable memory is something I had not
thought of in m4/printf.m4. Making the test more accurate like this.


2007-10-18  Bruno Haible  <[EMAIL PROTECTED]>

        * m4/printf.m4 (gl_PRINTF_DIRECTIVE_N, gl_SNPRINTF_DIRECTIVE_N): Put
        the format string into writable memory. Needed in Fortify conditions.

*** m4/printf.m4.orig   2007-10-18 13:10:26.000000000 +0200
--- m4/printf.m4        2007-10-18 13:05:44.000000000 +0200
***************
*** 1,4 ****
! # printf.m4 serial 16
  dnl Copyright (C) 2003, 2007 Free Software Foundation, Inc.
  dnl This file is free software; the Free Software Foundation
  dnl gives unlimited permission to copy and/or distribute it,
--- 1,4 ----
! # printf.m4 serial 17
  dnl Copyright (C) 2003, 2007 Free Software Foundation, Inc.
  dnl This file is free software; the Free Software Foundation
  dnl gives unlimited permission to copy and/or distribute it,
***************
*** 585,595 ****
        AC_TRY_RUN([
  #include <stdio.h>
  #include <string.h>
  static char buf[100];
  int main ()
  {
    int count = -1;
!   if (sprintf (buf, "%d %n", 123, &count, 33, 44, 55) < 0
        || strcmp (buf, "123 ") != 0
        || count != 4)
      return 1;
--- 585,600 ----
        AC_TRY_RUN([
  #include <stdio.h>
  #include <string.h>
+ static char fmtstring[10];
  static char buf[100];
  int main ()
  {
    int count = -1;
!   /* Copy the format string.  Some systems (glibc with _FORTIFY_SOURCE=2)
!      support %n in format strings in read-only memory but not in writable
!      memory.  */
!   strcpy (fmtstring, "%d %n");
!   if (sprintf (buf, fmtstring, 123, &count, 33, 44, 55) < 0
        || strcmp (buf, "123 ") != 0
        || count != 4)
      return 1;
***************
*** 872,882 ****
        AC_TRY_RUN([
  #include <stdio.h>
  #include <string.h>
  static char buf[100];
  int main ()
  {
    int count = -1;
!   snprintf (buf, 4, "%d %n", 12345, &count, 33, 44, 55);
    if (count != 6)
      return 1;
    return 0;
--- 877,892 ----
        AC_TRY_RUN([
  #include <stdio.h>
  #include <string.h>
+ static char fmtstring[10];
  static char buf[100];
  int main ()
  {
    int count = -1;
!   /* Copy the format string.  Some systems (glibc with _FORTIFY_SOURCE=2)
!      support %n in format strings in read-only memory but not in writable
!      memory.  */
!   strcpy (fmtstring, "%d %n");
!   snprintf (buf, 4, fmtstring, 12345, &count, 33, 44, 55);
    if (count != 6)
      return 1;
    return 0;

Re: vasnprintf's "%n in writable segment" chokes with _FORTIFY_SOURCE == 2

Reply via email to