From: Paul Eggert <eggert@cs.ucla.edu>
To: Juanma Barranquero <lekktu@gmail.com>
Cc: 8545@debbugs.gnu.org
Subject: bug#8545: issues with recent doprnt-related changes
Date: Wed, 27 Apr 2011 20:11:52 -0700 [thread overview]
Message-ID: <4DB8DAF8.7070408@cs.ucla.edu> (raw)
In-Reply-To: <BANLkTi=_735V1eMctO2-mnrs93KqbNDHzQ@mail.gmail.com>
On 04/27/11 18:32, Juanma Barranquero wrote:
> A cursory look suggests that fmt == format_end + 1 is possible
Thanks, I had missed that possibility. (Evidently your cursory looks
are better than mine. :-) A possible patch is below.
> would it be undefined behavior,
> as long as the pointer has not been dereferenced?
Yes. A portable C program is not allowed to create a pointer that
doesn't point to an object, with the two exceptions of a null pointer
and a pointer to the address immediately after an object. On
some architectures, attempting to point to random addresses can cause
exceptions or other undefined behavior.
=== modified file 'src/doprnt.c'
--- src/doprnt.c 2011-04-27 23:04:20 +0000
+++ src/doprnt.c 2011-04-28 03:00:59 +0000
@@ -194,22 +194,21 @@ doprnt (char *buffer, register size_t bu
This might be a field width or a precision; e.g.
%1.1000f and %1000.1f both might need 1000+ bytes.
Parse the width or precision, checking for overflow. */
- size_t n = *fmt - '0';
- while (fmt < format_end
- && '0' <= fmt[1] && fmt[1] <= '9')
+ size_t n = *fmt++ - '0';
+ while (fmt < format_end && '0' <= *fmt && *fmt <= '9')
{
if (n >= SIZE_MAX / 10
|| n * 10 > SIZE_MAX - (fmt[1] - '0'))
error ("Format width or precision too large");
- n = n * 10 + fmt[1] - '0';
- *string++ = *++fmt;
+ n = n * 10 + *fmt - '0';
+ *string++ = *fmt++;
}
if (size_bound < n)
size_bound = n;
}
else if (*fmt == '-' || *fmt == ' ' || *fmt == '.' || *fmt == '+')
- ;
+ fmt++;
else if (*fmt == 'l')
{
long_flag = 1 + (fmt + 1 < format_end && fmt[1] == 'l');
@@ -218,10 +217,7 @@ doprnt (char *buffer, register size_t bu
}
else
break;
- fmt++;
}
- if (fmt > format_end)
- fmt = format_end;
*string = 0;
/* Make the size bound large enough to handle floating point formats
next prev parent reply other threads:[~2011-04-28 3:11 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-04-25 5:46 bug#8545: issues with recent doprnt-related changes Paul Eggert
2011-04-25 9:00 ` Eli Zaretskii
2011-04-25 13:37 ` Stefan Monnier
2011-04-26 20:25 ` Paul Eggert
2011-04-27 1:14 ` Stefan Monnier
2011-04-26 6:02 ` Paul Eggert
2011-04-27 19:34 ` Eli Zaretskii
2011-04-27 23:51 ` Paul Eggert
2011-04-28 1:32 ` Juanma Barranquero
2011-04-28 3:11 ` Paul Eggert [this message]
2011-04-28 3:42 ` Juanma Barranquero
2011-04-28 5:06 ` Paul Eggert
2011-04-28 5:15 ` Eli Zaretskii
2011-04-28 5:29 ` Paul Eggert
2011-04-28 6:10 ` Eli Zaretskii
2011-04-28 6:42 ` Paul Eggert
2011-04-28 7:26 ` Eli Zaretskii
2011-04-28 7:54 ` Paul Eggert
2011-04-28 11:14 ` Eli Zaretskii
2011-04-29 12:28 ` Richard Stallman
2011-04-29 19:56 ` Eli Zaretskii
2011-04-29 23:49 ` Paul Eggert
2011-04-30 21:03 ` Richard Stallman
2011-05-01 5:41 ` Paul Eggert
2011-05-01 23:59 ` Richard Stallman
2011-05-02 0:23 ` Paul Eggert
[not found] ` <E1QH37h-0001yM-HR@fencepost.gnu.org>
2011-05-03 20:24 ` Paul Eggert
2011-05-01 4:25 ` Jason Rumney
2011-05-01 5:56 ` Paul Eggert
2011-05-01 8:12 ` Jason Rumney
2011-05-01 11:02 ` Andreas Schwab
2011-04-28 5:02 ` Eli Zaretskii
2011-04-28 5:50 ` Eli Zaretskii
[not found] ` <4DB9146D.2040702@cs.ucla.edu>
[not found] ` <E1QFQVO-0004Dq-6o@fencepost.gnu.org>
[not found] ` <4DB9E5FF.9020506@cs.ucla.edu>
2011-04-29 11:16 ` Eli Zaretskii
2011-04-29 14:41 ` Paul Eggert
2011-04-29 19:35 ` Eli Zaretskii
2011-04-29 20:32 ` Paul Eggert
2011-04-30 8:59 ` Eli Zaretskii
2011-05-04 7:28 ` Paul Eggert
2011-05-04 9:52 ` Eli Zaretskii
2011-05-04 14:56 ` Paul Eggert
[not found] ` <4DC1692B.1090101@cs.ucla.edu>
2011-05-05 20:36 ` Eli Zaretskii
[not found] ` <83ei4cnau6.fsf@gnu.org>
2011-05-06 13:33 ` Stefan Monnier
[not found] ` <jwvsjss2bz3.fsf-monnier+emacs@gnu.org>
2011-05-06 14:41 ` Paul Eggert
2011-05-06 15:03 ` Eli Zaretskii
[not found] ` <83vcxnlvl9.fsf@gnu.org>
2011-05-06 17:13 ` Stefan Monnier
[not found] ` <jwv8vuj21q0.fsf-monnier+emacs@gnu.org>
2011-05-06 19:57 ` Eli Zaretskii
[not found] ` <83k4e3lhzp.fsf@gnu.org>
2011-05-07 3:18 ` Stefan Monnier
[not found] ` <jwvr58byz9s.fsf-monnier+emacs@gnu.org>
2011-05-07 7:55 ` Eli Zaretskii
-- strict thread matches above, loose matches on Subject: below --
2011-05-01 18:19 bug#8601: * 2 -> * 4 typo fix in detect_coding_charset Paul Eggert
2011-05-01 19:06 ` Andreas Schwab
2011-05-01 19:25 ` Paul Eggert
2011-05-06 7:29 ` bug#8601: Merged fixes for 8600, 8601, 8602, and (partially) for 8545 Paul Eggert
2020-09-14 12:37 ` bug#8545: " Lars Ingebrigtsen
2020-09-14 18:41 ` Eli Zaretskii
2020-09-16 2:01 ` Paul Eggert
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/emacs/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DB8DAF8.7070408@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=8545@debbugs.gnu.org \
--cc=lekktu@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/emacs.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).