On 2023-12-03 20:19:10 +0100, Vincent Lefevre wrote: > With GMP 6.3.0, the formatted output functions do not handle %c > with the value 0 correctly. For gmp_sprintf, the return value is > incorrect.
In printf/sprintffuns.c, function gmp_sprintf_format(), I suppose that vsprintf (buf, fmt, ap); ret = strlen (buf); should actually be something like ret = vsprintf (buf, fmt, ap); if (ret < 0) ret = 0; to avoid issues due to non-terminating null characters (not tested). But I'm wondering how an error is possibly detected. The comment is: /* If vsprintf returns -1 then pass it upwards. It doesn't matter that "*bufp" is ruined in this case, since gmp_doprint will bail out immediately anyway. */ > For gmp_asprintf and gmp_vasprintf, this is either a buffer overflow > (according to the GMP manual: "The block will be the size of the > string and null-terminator.") or, in case this is an error in the > GMP manual, possible memory corruption when freeing the allocated > memory, if the custom memory allocation function cares about the > size parameter. This should be checked and the GMP manual should be fixed. > > Testcase for gmp_sprintf: > > ------------------------------------------------------------ > #include <stdio.h> > #include <gmp.h> > > static void test (int flag) > { > char s[3] = { 1, 1, 1 }; > int r; > > r = (flag ? sprintf : gmp_sprintf) (s, "%c", 0); > printf ("%4s: r = %d, s = { %d %d %d }\n", > flag ? "libc" : "gmp", r, s[0], s[1], s[2]); > } > > int main (void) > { > test (0); > test (1); > return 0; > } > ------------------------------------------------------------ > > which currently gives: > > gmp: r = 0, s = { 0 0 1 } > libc: r = 1, s = { 0 0 1 } > > MPFR has various issues concerning %c with the value 0, but an > attempt to fix them fails due to > > length = gmp_vasprintf (...); > [...] > mpfr_free_str (s); > > which is similar to GMP's tests/misc/t-printf.c file, which contains > > got_len = gmp_vasprintf (&got, fmt, ap); > [...] > (*__gmp_free_func) (got, strlen(got)+1); > > But replacing > > mpfr_free_str (s); > > by > > mpfr_free_func (s, length + 1); > > i.e. using the return value length instead of strlen(s), also fails. > I suppose that this is related to the incorrect return value. Well, the failure was due to another mpfr_free_func, no longer this one (I've now completely fixed MPFR, I think). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon) _______________________________________________ gmp-bugs mailing list gmp-bugs@gmplib.org https://gmplib.org/mailman/listinfo/gmp-bugs