Hi Ben, > When I apply the following patch to gnulib: > > ---------------------------------------------------------------------- > diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c > index 19731bc93378..105ac24c94a3 100644 > --- a/tests/test-vasnprintf.c > +++ b/tests/test-vasnprintf.c > @@ -59,6 +59,11 @@ test_function (char * (*my_asnprintf) (char *, size_t *, > const char *, ...)) > if (result != buf) > free (result); > } > + > + size_t length = 8; > + char *result = my_asnprintf (buf, &length, "%2.0f", > 0x1.e38417c792296p+893); > + if (result != buf) > + free (result); > } > > static char * > ---------------------------------------------------------------------- > > and then run: > > CC='gcc -fsanitize=address -g -O0' ./gnulib-tool --test vasnprintf > vasnprintf-posix > > I get the following failure from test-vasnprintf: > > ---------------------------------------------------------------------- > ==17880==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf4b03ece > at pc 0xf770f8ed bp 0xffac9638 sp 0xffac962c > WRITE of size 1 at 0xf4b03ece thread T0 > #0 0xf770f8ec in convert_to_decimal ../../gllib/vasnprintf.c:899 > #1 0xf770f8ec in scale10_round_decimal_decoded > ../../gllib/vasnprintf.c:1292 > #2 0xf771057c in scale10_round_decimal_double > ../../gllib/vasnprintf.c:1328 > #3 0xf771755c in vasnprintf ../../gllib/vasnprintf.c:4119
An excellent bug report! Thank you. > The line in convert_to_decimal() cited above is the assignment here: > > /* Terminate the string. */ > *d_ptr = '\0'; > > I guess that the space calculation passed to malloc() at the top of the > same function is not precise. I don't know whether the right thing to > do is to just add one. Indeed, the right thing is to add just 1. > This bug was originally reported against GNU PSPP: > https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686 > > For this report, I've simplified it to remove the PSPP dependency (and > to make sure it isn't somehow a PSPP bug). I found a smaller test case: 1.6314159265358979e+125 instead of 1.24726002000241678234e+269, and added that to the test suite. For the record, the issue occurs for all numbers in the ranges 10^125 <= arg < 2^416 10^134 <= arg < 2^448 10^260 <= arg < 2^864 10^269 <= arg < 2^896 ... 2018-09-23 Bruno Haible <br...@clisp.org> vasnprintf: Fix heap memory overrun bug. Reported by Ben Pfaff <b...@cs.stanford.edu> in <https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>. * lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of memory. * tests/test-vasnprintf.c (test_function): Add another test. diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c index 56ffbe3..30d021b 100644 --- a/lib/vasnprintf.c +++ b/lib/vasnprintf.c @@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes) size_t a_len = a.nlimbs; /* 0.03345 is slightly larger than log(2)/(9*log(10)). */ size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1); - char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes)); + /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the + digits of a, followed by 1 byte for the terminating NUL. */ + char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1)); if (c_ptr != NULL) { char *d_ptr = c_ptr; diff --git a/tests/test-vasnprintf.c b/tests/test-vasnprintf.c index 19731bc..93d81d7 100644 --- a/tests/test-vasnprintf.c +++ b/tests/test-vasnprintf.c @@ -53,7 +53,26 @@ test_function (char * (*my_asnprintf) (char *, size_t *, const char *, ...)) ASSERT (result != NULL); ASSERT (strcmp (result, "12345") == 0); ASSERT (length == 5); - if (size < 6) + if (size < 5 + 1) + ASSERT (result != buf); + ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0); + if (result != buf) + free (result); + } + + /* Note: This test assumes IEEE 754 representation of 'double' floats. */ + for (size = 0; size <= 8; size++) + { + size_t length; + char *result; + + memcpy (buf, "DEADBEEF", 8); + length = size; + result = my_asnprintf (buf, &length, "%2.0f", 1.6314159265358979e+125); + ASSERT (result != NULL); + ASSERT (strcmp (result, "163141592653589790215729350939528493057529598899734151772468186268423257777068536614838678161083520756952076273094236944990208") == 0); + ASSERT (length == 126); + if (size < 126 + 1) ASSERT (result != buf); ASSERT (memcmp (buf + size, &"DEADBEEF"[size], 8 - size) == 0); if (result != buf)
