181154 – [libc] snprintf(3) with out of bounds positional arguments results in segfault

Bug 181154 - [libc] snprintf(3) with out of bounds positional arguments results in segfault

Summary: [libc] snprintf(3) with out of bounds positional arguments results in segfault

Status:	Open

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	Unspecified
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-08-09 02:00 UTC by Enji Cooper
Modified:	2017-12-31 22:27 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Enji Cooper freebsd_committer

2013-08-09 02:00:00 UTC

The following piece of test code...

ATF_TC(snprintf_posarg_error);
ATF_TC_HEAD(snprintf_posarg_error, tc)
{

        atf_tc_set_md_var(tc, "descr", "test for positional arguments out "
            "of bounds");
}

ATF_TC_BODY(snprintf_posarg_error, tc)
{
        char s[16], fmt[32];

        snprintf(fmt, sizeof(fmt), "%%%zu$d", SIZE_MAX / sizeof(size_t));

        ATF_CHECK(snprintf(s, sizeof(s), fmt, -23) == -1);
}

Produces this segfault:

tc-start: 1376007948.899132, snprintf_posarg_error
tc-se:Test program crashed; attempting to get stack trace
tc-se:Core was generated by `t_printf'.
tc-se:Program terminated with signal 11, Segmentation fault.
tc-se:#0  0x28186bc3 in vfprintf () from /lib/libc.so.7
tc-se:Stack trace complete
tc-end: 1376007948.947316, snprintf_posarg_error, failed, Test program received signal 11 (core dumped)

Comment 1 Eitan Adler freebsd_committer

2017-12-31 07:59:15 UTC

For bugs matching the following criteria:

Status: In Progress Changed: (is less than) 2014-06-01

Reset to default assignee and clear in-progress tags.

Mail being skipped