Hi, Apologies, discard my previous patch (I inverted the old with new file in the diff command), consider the follow one:
--- uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c 2008-02-07 08:04:14.400000000 +0100 +++ uClibc-nptl-new/libc/stdio/_vfprintf.c 2008-03-12 11:50:47.930003000 +0100 @@ -896,7 +896,8 @@ int attribute_hidden _ppfs_parsespec(ppf if ((buf[i] = (char) (((wchar_t *) ppfs->fmtpos)[i-1])) != (((wchar_t *) ppfs->fmtpos)[i-1]) ) { - return -1; + buf[i] = 0; + break; } } while (buf[i++] && (i < sizeof(buf))); buf[sizeof(buf)-1] = 0; > -----Original Message----- > From: filippo arcidiacono [mailto:[EMAIL PROTECTED] > Sent: Tuesday, March 11, 2008 5:37 PM > To: 'Kevin Cernekee'; 'Carmelo AMOROSO' > Cc: 'uclibc@uclibc.org' > Subject: RE: [PATCH] wprintf overflow > > Hi, > Your patch fix the problem when a wide character is in the > format string, but there Are some problem if the wide char is > in the format specifier. Have you any idea about this one? > In my opinion your patch have to be the follow (just to be in > synch with the latest version of the thrunk): > --- uClibc-nptl-new/libc/stdio/_vfprintf.c 2008-03-11 > 17:22:16.590005000 +0100 > +++ uClibc-nptl-SVN-thrunk/libc/stdio/_vfprintf.c > 2008-02-07 08:04:14.400000000 +0100 > @@ -896,8 +896,7 @@ int attribute_hidden _ppfs_parsespec(ppf > if ((buf[i] = (char) (((wchar_t *) > ppfs->fmtpos)[i-1])) > != (((wchar_t *) ppfs->fmtpos)[i-1]) > ) { > - buf[i] = 0; > - break; > + return -1; > } > } while (buf[i++] && (i < sizeof(buf))); > buf[sizeof(buf)-1] = 0; > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Kevin Cernekee > > Sent: Tuesday, February 26, 2008 6:46 AM > > To: Carmelo AMOROSO > > Cc: uclibc@uclibc.org > > Subject: Re: [PATCH] wprintf overflow > > > > > > On Thu, 7 Feb 2008, Carmelo AMOROSO wrote: > > > > > The fix I committed I think it's better... because solve > the stack > > > overflow but keep the check against higher character. > > > I tested it and it works. Let me know your comments. > > > > Hi, > > > > One of the concerns I had with that loop is that it always > aborts the > > parser if it trips on a "wider" character during the copy, > even if it > > wasn't part of the format specifier. > > For instance: > > > > wprintf(L"%d %d %d \x0101\n", 1, 2, 3); > > > > I don't know if this is a problem in real life, but I erred on the > > side of caution and wound up using this fix: > > > > --- uClibc-nptl-0.9.29-20070423.orig/libc/stdio/_vfprintf.c > > 2006-06-19 19:32:05.000000000 -0700 > > +++ uClibc-nptl-0.9.29-20070423/libc/stdio/_vfprintf.c > > 2008-01-16 15:18:19.000000000 -0800 > > @@ -893,10 +893,13 @@ > > fmt = buf + 1; > > i = 0; > > do { > > + if(i == sizeof(buf)) > > + break; > > if ((buf[i] = (char) (((wchar_t *) > > ppfs->fmtpos)[i-1])) > > != (((wchar_t *) ppfs->fmtpos)[i-1]) > > ) { > > - return -1; > > + buf[i] = 0; > > + break; > > } > > } while (buf[i++]); > > buf[sizeof(buf)-1] = 0; > > _______________________________________________ > > uClibc mailing list > > uClibc@uclibc.org > > http://busybox.net/cgi-bin/mailman/listinfo/uclibc > > > _______________________________________________ uClibc mailing list uClibc@uclibc.org http://busybox.net/cgi-bin/mailman/listinfo/uclibc