From mboxrd@z Thu Jan  1 00:00:00 1970
Path: news.gmane.org!not-for-mail
From: Eli Zaretskii <eliz@gnu.org>
Newsgroups: gmane.emacs.bugs
Subject: bug#8545: issues with recent doprnt-related changes
Date: Thu, 28 Apr 2011 03:26:28 -0400
Message-ID: <E1QFLcK-0006Sx-Bc@fencepost.gnu.org>
References: <4DB50AB9.6060100@cs.ucla.edu> <83tydmaeo3.fsf@gnu.org>
	<4DB65FF1.5010003@cs.ucla.edu> <83aafb8p4a.fsf@gnu.org>
	<4DB8ABEA.3080503@cs.ucla.edu>
	<BANLkTi=_735V1eMctO2-mnrs93KqbNDHzQ@mail.gmail.com>
	<4DB8DAF8.7070408@cs.ucla.edu>
	<E1QFJZY-0007Sr-8c@fencepost.gnu.org>
	<4DB8FB35.5090205@cs.ucla.edu>
	<E1QFKRD-0001nu-So@fencepost.gnu.org>
	<4DB90C71.6060804@cs.ucla.edu>
Reply-To: Eli Zaretskii <eliz@gnu.org>
NNTP-Posting-Host: lo.gmane.org
X-Trace: dough.gmane.org 1303976220 19742 80.91.229.12 (28 Apr 2011 07:37:00 GMT)
X-Complaints-To: usenet@dough.gmane.org
NNTP-Posting-Date: Thu, 28 Apr 2011 07:37:00 +0000 (UTC)
Cc: lekktu@gmail.com, 8545@debbugs.gnu.org
To: Paul Eggert <eggert@cs.ucla.edu>
Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Thu Apr 28 09:36:55 2011
Return-path: <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>
Envelope-to: geb-bug-gnu-emacs@m.gmane.org
Original-Received: from lists.gnu.org ([140.186.70.17])
	by lo.gmane.org with esmtp (Exim 4.69)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1QFLmR-0008Eh-2w
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Apr 2011 09:36:55 +0200
Original-Received: from localhost ([::1]:36499 helo=lists.gnu.org)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org>)
	id 1QFLmQ-0003Y1-8x
	for geb-bug-gnu-emacs@m.gmane.org; Thu, 28 Apr 2011 03:36:54 -0400
Original-Received: from eggs.gnu.org ([140.186.70.92]:41844)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1QFLmN-0003Xm-Dj
	for bug-gnu-emacs@gnu.org; Thu, 28 Apr 2011 03:36:52 -0400
Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1QFLmM-0004AQ-6a
	for bug-gnu-emacs@gnu.org; Thu, 28 Apr 2011 03:36:51 -0400
Original-Received: from debbugs.gnu.org ([140.186.70.43]:59375)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1QFLmM-0004AM-4r
	for bug-gnu-emacs@gnu.org; Thu, 28 Apr 2011 03:36:50 -0400
Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.69)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1QFLcs-0000XZ-Ry; Thu, 28 Apr 2011 03:27:02 -0400
X-Loop: help-debbugs@gnu.org
Resent-From: Eli Zaretskii <eliz@gnu.org>
Original-Sender: debbugs-submit-bounces@debbugs.gnu.org
Resent-To: owner@debbugs.gnu.org
Resent-CC: bug-gnu-emacs@gnu.org
Resent-Date: Thu, 28 Apr 2011 07:27:02 +0000
Resent-Message-ID: <handler.8545.B8545.13039755962034@debbugs.gnu.org>
Resent-Sender: help-debbugs@gnu.org
X-GNU-PR-Message: followup 8545
X-GNU-PR-Package: emacs
X-GNU-PR-Keywords: 
Original-Received: via spool by 8545-submit@debbugs.gnu.org id=B8545.13039755962034
	(code B ref 8545); Thu, 28 Apr 2011 07:27:02 +0000
Original-Received: (at 8545) by debbugs.gnu.org; 28 Apr 2011 07:26:36 +0000
Original-Received: from localhost ([127.0.0.1] helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1QFLcR-0000Wl-Jh
	for submit@debbugs.gnu.org; Thu, 28 Apr 2011 03:26:35 -0400
Original-Received: from fencepost.gnu.org ([140.186.70.10])
	by debbugs.gnu.org with esmtp (Exim 4.69)
	(envelope-from <eliz@gnu.org>) id 1QFLcP-0000WY-JT
	for 8545@debbugs.gnu.org; Thu, 28 Apr 2011 03:26:34 -0400
Original-Received: from eliz by fencepost.gnu.org with local (Exim 4.71)
	(envelope-from <eliz@gnu.org>)
	id 1QFLcK-0006Sx-Bc; Thu, 28 Apr 2011 03:26:28 -0400
In-reply-to: <4DB90C71.6060804@cs.ucla.edu> (message from Paul Eggert on Wed, 
	27 Apr 2011 23:42:57 -0700)
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.11
Precedence: list
Resent-Date: Thu, 28 Apr 2011 03:27:02 -0400
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3)
X-Received-From: 140.186.70.43
X-BeenThere: bug-gnu-emacs@gnu.org
List-Id: "Bug reports for GNU Emacs,
	the Swiss army knife of text editors" <bug-gnu-emacs.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=unsubscribe>
List-Archive: </archive/html/bug-gnu-emacs>
List-Post: <mailto:bug-gnu-emacs@gnu.org>
List-Help: <mailto:bug-gnu-emacs-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-gnu-emacs>,
	<mailto:bug-gnu-emacs-request@gnu.org?subject=subscribe>
Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org
Xref: news.gmane.org gmane.emacs.bugs:46060
Archived-At: <http://permalink.gmane.org/gmane.emacs.bugs/46060>

> Date: Wed, 27 Apr 2011 23:42:57 -0700
> From: Paul Eggert <eggert@cs.ucla.edu>
> CC: lekktu@gmail.com, 8545@debbugs.gnu.org
> 
> OK, but format_end == B + BSIZE.
> So if doprnt (A, ASIZE, B, B + BSIZE, AP) can dereference format_end + 1,
> this means doprnt can access B[BSIZE + 1], which means that
> B should point to a char array of at least BSIZE + 2 bytes.

With the original code, that was the case, yes.  But that is why I
forcibly reset fmt to point to format_end: to avoid dereferencing past
the end of the array.

If you are saying that such invalid dereferencing can still happen,
please show how is that possible, with the code that is now in the
repository.

> Normally, B is a C-language string literal such as "abc%d",
> and BSIZE is the length of the string, which means
> there is potential trouble because normally code
> should not try to read the byte that follows the null
> byte at the end of the string.

That trouble shouldn't happen with the code in the repository.