vasnprintf tests: Add a test case that showcases a Solaris bug

Sat, 12 Apr 2025 14:54:22 -0700 

In printf implementations, it is easy to miss the fact that for %.50g
the implementation needs to allocate room for the thousands-separators.
I checked various systems, and Solaris printf() was found to crash in
such circumstances.

Anyone with a support contract for Solaris 11.4 - feel free to create a CVE,
based on <https://www.illumos.org/issues/17383>.


2025-04-12  Bruno Haible  <br...@clisp.org>

        vasnprintf tests: Add a test case that showcases a Solaris bug.
        * tests/test-vasnprintf-posix2.c (main): Add one more %'g test.
        * tests/test-vasnwprintf-posix2.c (main): Likewise.

diff --git a/tests/test-vasnprintf-posix2.c b/tests/test-vasnprintf-posix2.c
index b0ba95b667..55e26d666f 100644
--- a/tests/test-vasnprintf-posix2.c
+++ b/tests/test-vasnprintf-posix2.c
@@ -439,6 +439,13 @@ main (int argc, char *argv[])
         }
       free (result);
     }
+    /* This test used to crash in the Solaris libc, for all Solaris versions.
+       <https://www.illumos.org/issues/17383>  */
+    {
+      size_t length;
+      char *result = asnprintf (NULL, &length, "%'.500Lg\n", 
42351647362715016953416125033982098102569580078125000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.0L);
+      free (result);
+    }
   }
 
   return test_exit_status;
diff --git a/tests/test-vasnwprintf-posix2.c b/tests/test-vasnwprintf-posix2.c
index 4ccbe079ae..394e872e26 100644
--- a/tests/test-vasnwprintf-posix2.c
+++ b/tests/test-vasnwprintf-posix2.c
@@ -345,6 +345,11 @@ main (int argc, char *argv[])
               && wcscmp (result + 7, L"000") == 0);
       free (result);
     }
+    {
+      size_t length;
+      wchar_t *result = asnwprintf (NULL, &length, L"%'.500Lg\n", 
42351647362715016953416125033982098102569580078125000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.0L);
+      free (result);
+    }
   }
 
   return test_exit_status;

Reply via email to