Module Name: src
Committed By: rillig
Date: Tue Feb 20 19:49:10 UTC 2024
Modified Files:
src/tests/lib/libutil: t_snprintb.c
Log Message:
tests/snprintb: fix out-of-bounds memory read (since 2024-02-16)
Before t_snprintb.c 1.20, the buffer size was required to be greater
than zero. Allowing the buffer size to be zero led to buf[-1] being
checked. On amd64, that byte happened to be 0, on i386 it didn't.
Fixes PR lib/57951.
To generate a diff of this commit:
cvs rdiff -u -r1.22 -r1.23 src/tests/lib/libutil/t_snprintb.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/tests/lib/libutil/t_snprintb.c
diff -u src/tests/lib/libutil/t_snprintb.c:1.22 src/tests/lib/libutil/t_snprintb.c:1.23
--- src/tests/lib/libutil/t_snprintb.c:1.22 Mon Feb 19 23:30:56 2024
+++ src/tests/lib/libutil/t_snprintb.c Tue Feb 20 19:49:10 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: t_snprintb.c,v 1.22 2024/02/19 23:30:56 rillig Exp $ */
+/* $NetBSD: t_snprintb.c,v 1.23 2024/02/20 19:49:10 rillig Exp $ */
/*
* Copyright (c) 2002, 2004, 2008, 2010, 2024 The NetBSD Foundation, Inc.
@@ -32,7 +32,7 @@
#include <sys/cdefs.h>
__COPYRIGHT("@(#) Copyright (c) 2008, 2010, 2024\
The NetBSD Foundation, inc. All rights reserved.");
-__RCSID("$NetBSD: t_snprintb.c,v 1.22 2024/02/19 23:30:56 rillig Exp $");
+__RCSID("$NetBSD: t_snprintb.c,v 1.23 2024/02/20 19:49:10 rillig Exp $");
#include <stdio.h>
#include <string.h>
@@ -48,9 +48,11 @@ vis_arr(const char *arr, size_t arrsize)
static size_t i;
i = (i + 1) % (sizeof(buf) / sizeof(buf[0]));
- int rv = strnvisx(buf[i], sizeof(buf[i]), arr, arrsize,
+ buf[i][0] = '"';
+ int rv = strnvisx(buf[i] + 1, sizeof(buf[i]) - 2, arr, arrsize,
VIS_WHITE | VIS_OCTAL);
ATF_REQUIRE_MSG(rv >= 0, "strnvisx failed for size %zu", arrsize);
+ strcpy(buf[i] + 1 + rv, "\"");
return buf[i];
}
@@ -95,7 +97,8 @@ h_snprintb_loc(const char *file, size_t
ATF_CHECK_MSG(
rv == want_rv
&& memcmp(buf, want_buf, want_bufsize) == 0
- && buf[rlen < bufsize ? rlen : bufsize - 1] == '\0',
+ && (bufsize < 1
+ || buf[rlen < bufsize ? rlen : bufsize - 1] == '\0'),
"failed:\n"
"\ttest case: %s:%zu\n"
"\tformat: %s\n"
@@ -1110,7 +1113,12 @@ h_snprintb_m_loc(const char *file, size_
size_t total = rv;
ATF_CHECK_MSG(
- total == want_rv && memcmp(buf, want_buf, want_bufsize) == 0,
+ total == want_rv
+ && memcmp(buf, want_buf, want_bufsize) == 0
+ && (bufsize < 1
+ || buf[total < bufsize ? total : bufsize - 1] == '\0')
+ && (bufsize < 2
+ || buf[total < bufsize ? total - 1 : bufsize - 2] == '\0'),
"failed:\n"
"\ttest case: %s:%zu\n"
"\tformat: %s\n"
