http://gcc.gnu.org/bugzilla/show_bug.cgi?id=47642
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jakub at gcc dot gnu.org
--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> 2011-02-08
12:50:44 UTC ---
size_t l = c - p;
memcpy (res + 3, p + 1, l);
size_t l2 = strlen (c + 1);
memcpy (res + 2 + l, c + 1, l2);
memset (res + 2 + l + l2, '0', n - (l + l2) + 1);
p is "174224571863520493293247799005065324265470", thus l is 42, l2 is 0
and n - (l + l2) + 1 is -1.
quadmath_io.c has more issues though, e.g.
void
quadmath_flt128tostr (char *s, size_t size, size_t n, __float128 x)
{
char buffer[1024];
memset (buffer, 0, sizeof(buffer));
format (buffer, x, n);
memcpy (s, buffer, size);
}
will happily copy garbage over for size > 1024, other buffer overflows will
happen for n > 1024 - epsilon, etc. and there is no reason why we need so many
extra buffers. At least the one in quadmath_flt128tostr doesn't make sense,
size should be simply passed through down to format and it should make sure it
never overflows the given size. The other memset in format:
memset (buffer, 0, sizeof(buffer));
should be avoided too, I believe g_Qfmt should return the pointer after the
last character it wrote, or NULL, so for NULL the caller should just clear
buffer[0] and for other value it should clear *g_Qfmt.
