From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Paul Eggert Newsgroups: gmane.emacs.bugs Subject: bug#8545: issues with recent doprnt-related changes Date: Wed, 27 Apr 2011 23:42:57 -0700 Organization: UCLA Computer Science Department Message-ID: <4DB90C71.6060804@cs.ucla.edu> References: <4DB50AB9.6060100@cs.ucla.edu> <83tydmaeo3.fsf@gnu.org> <4DB65FF1.5010003@cs.ucla.edu> <83aafb8p4a.fsf@gnu.org> <4DB8ABEA.3080503@cs.ucla.edu> <4DB8DAF8.7070408@cs.ucla.edu> <4DB8FB35.5090205@cs.ucla.edu> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Trace: dough.gmane.org 1303974419 10323 80.91.229.12 (28 Apr 2011 07:06:59 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Thu, 28 Apr 2011 07:06:59 +0000 (UTC) Cc: lekktu@gmail.com, 8545@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Apr 28 09:06:54 2011 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([140.186.70.17]) by lo.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1QFLJO-0001ng-5J for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Apr 2011 09:06:54 +0200 Original-Received: from localhost ([::1]:44016 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QFLJN-0003BP-L6 for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Apr 2011 03:06:53 -0400 Original-Received: from eggs.gnu.org ([140.186.70.92]:39593) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QFLJL-0003BK-6X for bug-gnu-emacs@gnu.org; Thu, 28 Apr 2011 03:06:52 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1QFLJJ-0008JN-Tq for bug-gnu-emacs@gnu.org; Thu, 28 Apr 2011 03:06:50 -0400 Original-Received: from debbugs.gnu.org ([140.186.70.43]:45194) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1QFLJJ-0008JH-ST for bug-gnu-emacs@gnu.org; Thu, 28 Apr 2011 03:06:49 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69) (envelope-from ) id 1QFKxG-0006cU-5u; Thu, 28 Apr 2011 02:44:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Paul Eggert Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-To: owner@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Thu, 28 Apr 2011 06:44:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 8545 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 8545-submit@debbugs.gnu.org id=B8545.130397298825357 (code B ref 8545); Thu, 28 Apr 2011 06:44:02 +0000 Original-Received: (at 8545) by debbugs.gnu.org; 28 Apr 2011 06:43:08 +0000 Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QFKwO-0006aw-0c for submit@debbugs.gnu.org; Thu, 28 Apr 2011 02:43:08 -0400 Original-Received: from smtp.cs.ucla.edu ([131.179.128.62]) by debbugs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1QFKwK-0006aM-Qt for 8545@debbugs.gnu.org; Thu, 28 Apr 2011 02:43:05 -0400 Original-Received: from localhost (localhost.localdomain [127.0.0.1]) by smtp.cs.ucla.edu (Postfix) with ESMTP id 2E44839E80FA; Wed, 27 Apr 2011 23:42:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at smtp.cs.ucla.edu Original-Received: from smtp.cs.ucla.edu ([127.0.0.1]) by localhost (smtp.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LpD52e4XcYE9; Wed, 27 Apr 2011 23:42:58 -0700 (PDT) Original-Received: from [192.168.1.10] (pool-71-189-109-235.lsanca.fios.verizon.net [71.189.109.235]) by smtp.cs.ucla.edu (Postfix) with ESMTPSA id 9C17039E8082; Wed, 27 Apr 2011 23:42:58 -0700 (PDT) User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.14) Gecko/20110223 Thunderbird/3.1.8 In-Reply-To: X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.11 Precedence: list Resent-Date: Thu, 28 Apr 2011 02:44:02 -0400 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:46059 Archived-At: On 04/27/11 23:10, Eli Zaretskii wrote: > No, it can dereference *(format_end+1). > >> If the intent here is that one should call doprnt with >> the pattern (doprnt (A, ASIZE, B, B + BSIZE - 1, AP)) then >> I suggest that the point be made clearly in doprnt's comment, >> as part of doprnt's API, to prevent future confusion in >> this area. > > No, it should be called as B+BSIZE. OK, but format_end == B + BSIZE. So if doprnt (A, ASIZE, B, B + BSIZE, AP) can dereference format_end + 1, this means doprnt can access B[BSIZE + 1], which means that B should point to a char array of at least BSIZE + 2 bytes. Normally, B is a C-language string literal such as "abc%d", and BSIZE is the length of the string, which means there is potential trouble because normally code should not try to read the byte that follows the null byte at the end of the string. I expect that the cases where doprnt actually accesses B[BSIZE + 1] are rare, and don't currently happen in practice; still, this is a confusing area and whatever constraints are actually placed on doprnt's caller should be made clear in the doprnt documentation, so that others are warned about the situation and don't make the mistake of passing formats that could cause problems.