The size of the buffer used for printf -v is tracked in an int but this can overflow since the buffer can be built up by multiple vsnprintf(3) calls, each of which can append up to INT_MAX bytes to the buffer:
$ INT_MAX=$(getconf INT_MAX)
$ printf -v VAR "%$((INT_MAX-1))s%$((INT_MAX-1))s"
Bus error: 10
or when appending individual chars:
$ printf -v VAR "%$((INT_MAX-1))sXXX"
-bash: xrealloc: cannot allocate 18446744071562068032 bytes
The return value of vsnprintf(3) or printf(3) can be negative if, e.g.
the underlying write(2) call fails, or if a width or precision is out
of range. Currently, this return value used unchecked as an offset
into vbuf:
$ printf -v VAR "%.$((INT_MAX+1))s"
heap-buffer-overflow builtins/printf.def:1253:15 in vbprintf
and added to the total when counting bytes written for the %n conversion
specifier:
$ printf "%$((INT_MAX+1))s%n" "" N
$ echo "$N"
-1
Also, skip ferror(), fflush(), and clearerr() when running with the -v
flag.
0001-printf-more-error-handling.patch
Description: Binary data
