From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#8545: issues with recent doprnt-related changes Date: Wed, 27 Apr 2011 20:11:52 -0700 Organization: UCLA Computer Science Department Message-ID: <4DB8DAF8.7070408@cs.ucla.edu> References: <4DB50AB9.6060100@cs.ucla.edu> <83tydmaeo3.fsf@gnu.org> <4DB65FF1.5010003@cs.ucla.edu> <83aafb8p4a.fsf@gnu.org> <4DB8ABEA.3080503@cs.ucla.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: dough.gmane.org 1303961821 18955 80.91.229.12 (28 Apr 2011 03:37:01 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 28 Apr 2011 03:37:01 +0000 (UTC) Cc: 8545@debbugs.gnu.org To: Juanma Barranquero Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Apr 28 05:36:55 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QFI2A-0007Wj-1y for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Apr 2011 05:36:54 +0200 Original-Received: from localhost ([::1]:51008 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QFI29-0006ne-7B for geb-bug-gnu-emacs@m.gmane.org; Wed, 27 Apr 2011 23:36:53 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:54178) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QFI26-0006nN-Uu for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2011 23:36:51 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QFI25-0001Bh-Vl for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2011 23:36:50 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:58321) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QFI25-0001Bd-QG for bug-gnu-emacs@gnu.org; Wed, 27 Apr 2011 23:36:49 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1QFHf4-0001ej-Em; Wed, 27 Apr 2011 23:13:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 28 Apr 2011 03:13:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8545 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 8545-submit@debbugs.gnu.org id=B8545.13039603226283 (code B ref 8545); Thu, 28 Apr 2011 03:13:02 +0000 Original-Received: (at 8545) by debbugs.gnu.org; 28 Apr 2011 03:12:02 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QFHe6-0001dI-5n for submit@debbugs.gnu.org; Wed, 27 Apr 2011 23:12:02 -0400 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QFHe3-0001ct-P9 for 8545@debbugs.gnu.org; Wed, 27 Apr 2011 23:12:00 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 2242F39E80F8; Wed, 27 Apr 2011 20:11:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F4EEZpPFTaOd; Wed, 27 Apr 2011 20:11:53 -0700 (PDT) Original-Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 80DAC39E80DB; Wed, 27 Apr 2011 20:11:53 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Wed, 27 Apr 2011 23:13:02 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:46049 Archived-At: On 04/27/11 18:32, Juanma Barranquero wrote: > A cursory look suggests that fmt == format_end + 1 is possible Thanks, I had missed that possibility. (Evidently your cursory looks are better than mine. :-) A possible patch is below. > would it be undefined behavior, > as long as the pointer has not been dereferenced? Yes. A portable C program is not allowed to create a pointer that doesn't point to an object, with the two exceptions of a null pointer and a pointer to the address immediately after an object. On some architectures, attempting to point to random addresses can cause exceptions or other undefined behavior. === modified file 'src/doprnt.c' --- src/doprnt.c 2011-04-27 23:04:20 +0000 +++ src/doprnt.c 2011-04-28 03:00:59 +0000 @@ -194,22 +194,21 @@ doprnt (char *buffer, register size_t bu This might be a field width or a precision; e.g. %1.1000f and %1000.1f both might need 1000+ bytes. Parse the width or precision, checking for overflow. */ - size_t n = *fmt - '0'; - while (fmt < format_end - && '0' <= fmt[1] && fmt[1] <= '9') + size_t n = *fmt++ - '0'; + while (fmt < format_end && '0' <= *fmt && *fmt <= '9') { if (n >= SIZE_MAX / 10 || n * 10 > SIZE_MAX - (fmt[1] - '0')) error ("Format width or precision too large"); - n = n * 10 + fmt[1] - '0'; - *string++ = *++fmt; + n = n * 10 + *fmt - '0'; + *string++ = *fmt++; } if (size_bound < n) size_bound = n; } else if (*fmt == '-' || *fmt == ' ' || *fmt == '.' || *fmt == '+') - ; + fmt++; else if (*fmt == 'l') { long_flag = 1 + (fmt + 1 < format_end && fmt[1] == 'l'); @@ -218,10 +217,7 @@ doprnt (char *buffer, register size_t bu } else break; - fmt++; } - if (fmt > format_end) - fmt = format_end; *string = 0; /* Make the size bound large enough to handle floating point formats