The problem is that the * in the format string consumes an int argument. If we were source code pedants, we'd say it's UB to pass a size_t and leave it there. But with common architectures and ABIs, could this bug be exploited?
-
-
Replying to @volatile_void @dekisu
On a 32-bit arch where int and size_t are both 32-bit, the size 0x80000000 is likely to be interpreted as a negative value. But look at the last sentence of this clause: https://port70.net/~nsz/c/c11/n1570.html#7.21.6.1p5 … (negative precisions are ignored)
1 reply 0 retweets 1 like -
Replying to @volatile_void @dekisu
But since I take the informal specification to implicitly state that src and dst must not overlap, I can't build an example (it would require dst >2GiB and src larger than dst).
1 reply 0 retweets 0 likes -
Replying to @volatile_void
fun! what happens in 64 bit archs? i have no idea what *really* happens when you pass a 64 bit size_t to an int parameter that also happens to be a vararg. does that case just work because of an implementation detail?
1 reply 0 retweets 0 likes -
Replying to @dekisu
On the only 64-bit architecture ABI I am familiar with (macOS on x86-64), the value would be passed as the same 32/64-bit register as either int or size_t. So funny things may happen when the size_t argument is interpreted as an int… … … wait, you're right, this might work.
2 replies 0 retweets 1 like -
Replying to @volatile_void @dekisu
It really depends on how the code of sprintf is written/translated to assembly, but in theory this may work on some 64-bit architectures. It doesn't on mine.https://pastebin.com/yAWKZ4Yp
3 replies 0 retweets 0 likes -
Replying to @volatile_void @dekisu
Related: is it UB to overflow the return value of *printf()?
1 reply 0 retweets 0 likes -
Replying to @tavianator
Well
@RichFelker has convinced me that the following interpretation is the only one possible: it would be incorrect for printf to print any number of character other than the nonnegative number it returns, so if the format and arguments mandate more than INT_MAX characters, …1 reply 0 retweets 1 like -
- printf cannot print anything other than the characters specified by the format and arguments - printf cannot return the nonnegative length of this result, and therefore - printf must return a negative value and print nothing.
1 reply 0 retweets 0 likes -
Replying to @volatile_void @tavianator
Surely printf can legitimately return an error (e.g.EILSEQ) after some output.
1 reply 0 retweets 1 like
The obligation to return # of chars produced only exists when printf succeeds.
-
-
Replying to @RichFelker @tavianator
Ah, thanks for clarifying that aspect.
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.