AuroraMiddleware/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2024-11-21 20:40:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

elf: Fix alloca size in _dl_debug_vdprintf

Browse Source 
The alloca size did not consider the optional width parameter for
padding which could cause buffer underflow. The width is currently used
e.g. by _dl_map_object_from_fd which passes 2 * sizeof(void *) which
can be larger than the alloca buffer size on targets where
sizeof(void *) >= 2 * sizeof(unsigned long).

Even if large width is not used on existing targets it is better to fix
the formatting code to avoid surprises.

Reviewed-by: Florian Weimer <fweimer@redhat.com>
This commit is contained in:
Szabolcs Nagy 2022-10-11 14:22:35 +01:00
parent 68619ddb3b
commit eef17d4d9f
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
elf/dl-printf.c
View File

@ -163,8 +163,11 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
/* We use alloca() to allocate the buffer with the most /* We use alloca() to allocate the buffer with the most
pessimistic guess for the size. Using alloca() allows pessimistic guess for the size. Using alloca() allows
having more than one integer formatting in a call. */ having more than one integer formatting in a call. */
char *buf = (char *) alloca (1 + 3 * sizeof (unsigned long int)); int size = 1 + 3 * sizeof (unsigned long int);
char *endp = &buf[1 + 3 * sizeof (unsigned long int)]; if (width + 1 > size)
size = width + 1;
char *buf = (char *) alloca (size);
char *endp = &buf[size];
char *cp = _itoa (num, endp, *fmt == 'x' ? 16 : 10, 0); char *cp = _itoa (num, endp, *fmt == 'x' ? 16 : 10, 0);
/* Pad to the width the user specified. */ /* Pad to the width the user specified. */