On 17/05/11 16:31, Paul Marinescu wrote:
> In coreutils 8.12 (latest), printf can make an out-of-bounds access when
> an integer argument consists only of a single or double quote.
>
> The printf spec mentions that an integer argument consisting of a
> single/double quote followed by a character is interpreted as the ASCII
> value of that character. However, when the quote is alone, the code in
> the STRTOX macro (printf.c:171) goes beyond the buffer associated with
> the argument.
>
> Possible fix: report an error at printf.c:166 if ch is 0.
Good catch!
We'll apply something like the following which results in:
$ ./printf "%d\n" '"a"'
./printf: warning: ": character(s) following character constant have been
ignored
97
$ ./printf "%d\n" '"a'
97
$ ./printf "%d\n" '"'
./printf: ": expected a numeric value
0
$ ./printf "%d\n" 'a'
./printf: a: expected a numeric value
0
cheers,
Pádraig.
diff --git a/src/printf.c b/src/printf.c
index e05947c..22a85e7 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s)
\
char *end; \
TYPE val; \
\
- if (*s == '\"' || *s == '\'')
\
+ if ((*s == '\"' || *s == '\'') && *(s+1)) \
{ \
unsigned char ch = *++s; \
val = ch;
\
