On 11/10/2010 11:40 AM, Paul Eggert wrote:
>> +  unsigned int max_digit_string_len
>> +    = (suffix
>> +       ? max_out (suffix)
>> +       : MAX (INT_STRLEN_BOUND (unsigned int), digits));
> 
> That should be size_t, not unsigned int, since max_out
> returns a size_t, and it could return a value greater than
> UINT_MAX.  For example, the user might run "csplit -b %4294967296d"
> and on a 64-bit host max_out will return UINTMAX + 1.
> 
> While we're on the subject of undefined printf behavior, perhaps
> we should be rejecting any attempt to use a printf format like
> %4294967296d that uses a width or precision greater than INT_MAX?
> POSIX seems to say that such a format should work, but I'll bet
> nobody does it right (glibc doesn't).

Actually, the next version of POSIX will require EOVERFLOW if printf is
directed to print more than INT_MAX bytes:

http://austingroupbugs.net/view.php?id=316

>  For safety we might want
> to be truncating large widths or precisions to INT_MAX, or
> rejecting them.

There's also the matter that %*d can only go up to INT_MAX bytes; it
would make sense to reject larger widths if we cannot safely rewrite a
user's %nnnd,value into %*d,nnn,value.

-- 
Eric Blake   [email protected]    +1-801-349-2682
Libvirt virtualization library http://libvirt.org

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to