aboutsummaryrefslogtreecommitdiff
path: root/src/stdio/__overflow.c (unfollow)
Commit message (Collapse)AuthorFilesLines
2012-06-20duplocale: don't crash when called with LC_GLOBAL_LOCALERich Felker1-1/+1
posix has resolved to add this usage; for now, we just avoid writing anything to the new locale object since it's not used anyway.
2012-06-20make strerror_r behave nicer on failureRich Felker1-2/+8
if the buffer is too short, at least return a partial string. this is helpful if the caller is lazy and does not check for failure. care is taken to avoid writing anything if the buffer length is zero, and to always null-terminate when the buffer length is non-zero.
2012-06-20fix another oob pointer arithmetic issue in printf floating pointRich Felker1-1/+1
this one could never cause any problems unless the compiler/machine goes to extra trouble to break oob pointer arithmetic, but it's best to fix it anyway.
2012-06-20minor perror behavior fixRich Felker1-1/+1
patch by nsz
2012-06-19fix localeconv values and implementationRich Felker1-15/+28
dynamic-allocation of the structure is not valid; it can crash an application if malloc fails. since localeconv is not specified to have failure conditions, the object needs to have static storage duration. need to review whether all the values are right or not still..
2012-06-19fix mistake in length test in getlogin_rRich Felker1-1/+1
this was actually dangerously wrong, but presumably nobody uses this broken function anymore anyway..
2012-06-19fix dummied-out fsyncRich Felker1-2/+1
if we eventually have build options, it might be nice to make an option to dummy this out again, in case anybody needs a system-wide disable for disk/ssd-thrashing, etc. that some daemons do when logging...
2012-06-19fix dummied-out fdatasyncRich Felker1-1/+1
2012-06-19fix pointer overflow bug in floating point printfRich Felker1-3/+3
large precision values could cause out-of-bounds pointer arithmetic in computing the precision cutoff (used to avoid expensive long-precision arithmetic when the result will be discarded). per the C standard, this is undefined behavior. one would expect that it works anyway, and in fact it did in most real-world cases, but it was randomly (depending on aslr) crashing in i386 binaries running on x86_64 kernels. this is because linux puts the userspace stack near 4GB (instead of near 3GB) when the kernel is 64-bit, leading to the out-of-bounds pointer arithmetic overflowing past the end of address space and giving a very low pointer value, which then compared lower than a pointer it should have been higher than. the new code rearranges the arithmetic so that no overflow can occur. while this bug could crash printf with memory corruption, it's unlikely to have security impact in real-world applications since the ability to provide an extremely large field precision value under attacker-control is required to trigger the bug.