NetBSD Problem Report #42466

From yasuoka@iij.ad.jp  Thu Dec 17 13:33:34 2009
Return-Path: <yasuoka@iij.ad.jp>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
	by www.NetBSD.org (Postfix) with ESMTP id 7EF6563B844
	for <gnats-bugs@gnats.NetBSD.org>; Thu, 17 Dec 2009 13:33:34 +0000 (UTC)
Message-Id: <20091217.223330.126201589.yasuoka@iij.ad.jp>
Date: Thu, 17 Dec 2009 22:33:30 +0900 (JST)
From: Yasuoka Masahiko <yasuoka@iij.ad.jp>
To: gnats-bugs@gnats.NetBSD.org
Subject: vsnprintf_ss() causes infinite loop

>Number:         42466
>Category:       bin
>Synopsis:       vsnprintf_ss() causes infinite loop
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 17 13:35:00 +0000 2009
>Closed-Date:    Tue Sep 08 04:26:16 +0000 2015
>Last-Modified:  Tue Sep 08 04:26:16 +0000 2015
>Originator:     yasuoka@iij.ad.jp
>Release:        NetBSD 5.0.1
>Organization:
Internet Initiative Japan Inc.
>Environment:
System: NetBSD yasuoka-nb.iij.ad.jp 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 01:39:11 UTC 2009 builds@b8.netbsd.org:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
Architecture: i386
Machine: i386
>Description:

Programs using vsnprintf_ss() cause a infinite loop.

lib/libc/stdio/vsnprintf.c 1.21 

    113 #define PUTCHAR(C) do {                                 \
    114         if (sbuf < tailp)                               \
    115                 *sbuf++ = (C);                          \
    116 } while (/*CONSTCOND*/0)

    (snip)

    164         for (;;) {
    165                 while (*fmt != '%' && *fmt) {
    166                         ret++;
    167                         PUTCHAR(*fmt++);
    168                 }

To break 'while' at 165, 'fmt' must be incremeted in every loop.  But
PUTCHAR(C) is a macro fuction, it doesn't increment the macro value
'C' in case 'sbuf >= tailp'.  This causes a infinite loop.

>How-To-Repeat:

Below test program (archived by shar(1)) can repeat the problem on 
NetBSD 5.0.1/i386.

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#       vsnprintf/Makefile
#       vsnprintf/vsnprintf_test.c
#
echo x - vsnprintf/Makefile
sed 's/^X//' >vsnprintf/Makefile << 'END-of-vsnprintf/Makefile'
XNOMAN=         #
XPROG=          vsnprintf_test
X
X.include <bsd.prog.mk>
END-of-vsnprintf/Makefile
echo x - vsnprintf/vsnprintf_test.c
sed 's/^X//' >vsnprintf/vsnprintf_test.c << 'END-of-vsnprintf/vsnprintf_test.c'
X#include <sys/types.h>
X#include <stdlib.h>
X#include <string.h>
X
Xint snprintf_ss(char *, size_t size, const char *, ...);
X
Xint
Xmain(int argc, char *argv[])
X{
X       char buf0[32], buf1[32];
X
X       memset(buf1, 'A', sizeof(buf1));
X       buf1[31] = '\0';
X
X       snprintf_ss(buf0, sizeof(buf0), "%sZZZZ", buf1);
X
X       exit(EXIT_SUCCESS);
X}
X
X
END-of-vsnprintf/vsnprintf_test.c
exit

>Fix:

Index: vsnprintf_ss.c
===================================================================
RCS file: /cvsroot/NetBSD/src/lib/libc/stdio/vsnprintf_ss.c,v
retrieving revision 1.8
diff -b -u -p -r1.8 vsnprintf_ss.c
--- vsnprintf_ss.c      25 Oct 2009 20:44:13 -0000      1.8
+++ vsnprintf_ss.c      17 Dec 2009 13:07:08 -0000
@@ -164,7 +164,8 @@ vsnprintf_ss(char *sbuf, size_t slen, co
        for (;;) {
                while (*fmt != '%' && *fmt) {
                        ret++;
-                       PUTCHAR(*fmt++);
+                       PUTCHAR(*fmt);
+                       fmt++;
                }
                if (*fmt == 0)
                        goto done;

>Release-Note:

>Audit-Trail:
From: Yasuoka Masahiko <yasuoka@iij.ad.jp>
To: gnats-bugs@NetBSD.org, gnats-admin@netbsd.org
Cc: 
Subject: Re: bin/42466: vsnprintf_ss() causes infinite loop
Date: Thu, 17 Dec 2009 22:54:17 +0900 (JST)

 On Thu, 17 Dec 2009 22:33:30 +0900 (JST)
 Yasuoka Masahiko <yasuoka@iij.ad.jp> wrote:
 >>Description:
 > 
 > Programs using vsnprintf_ss() cause a infinite loop.
 > 
 > lib/libc/stdio/vsnprintf.c 1.21 

 Sorry, the filename should be 'lib/libc/stdio/vsnprintf_ss.c'.

 --yasuoka

From: Christos Zoulas <christos@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc: 
Subject: PR/42466 CVS commit: src/lib/libc/stdio
Date: Thu, 17 Dec 2009 10:19:49 -0500

 Module Name:	src
 Committed By:	christos
 Date:		Thu Dec 17 15:19:49 UTC 2009

 Modified Files:
 	src/lib/libc/stdio: vsnprintf_ss.c

 Log Message:
 PR/42466: Yasuoka Masahiko: vsnprintf_ss() causes infinite loop


 To generate a diff of this commit:
 cvs rdiff -u -r1.8 -r1.9 src/lib/libc/stdio/vsnprintf_ss.c

 Please note that diffs are not public domain; they are subject to the
 copyright notices on the relevant files.

State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Tue, 08 Sep 2015 04:26:16 +0000
State-Changed-Why:
Christos committed it back in 2009. (and christos never clsoes PRs)


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.