| Commit message (Expand) | Author | Age | Files | Lines |
|---|
| * | fix pointer overflow bug in floating point printf•••large precision values could cause out-of-bounds pointer arithmetic in
computing the precision cutoff (used to avoid expensive long-precision
arithmetic when the result will be discarded). per the C standard,
this is undefined behavior. one would expect that it works anyway, and
in fact it did in most real-world cases, but it was randomly
(depending on aslr) crashing in i386 binaries running on x86_64
kernels. this is because linux puts the userspace stack near 4GB
(instead of near 3GB) when the kernel is 64-bit, leading to the
out-of-bounds pointer arithmetic overflowing past the end of address
space and giving a very low pointer value, which then compared lower
than a pointer it should have been higher than.
the new code rearranges the arithmetic so that no overflow can occur.
while this bug could crash printf with memory corruption, it's
unlikely to have security impact in real-world applications since the
ability to provide an extremely large field precision value under
attacker-control is required to trigger the bug.
| Rich Felker | 2012-06-19 | 1 | -3/+3 |
| * | add new stdio extension functions to make gnulib happy•••this is mildly ugly, but less ugly than gnulib trying to poke at the
definition of the FILE structure...
| Rich Felker | 2012-06-19 | 1 | -0/+24 |
| * | stdio: handle file position correctly at program exit•••for seekable files, posix imposed requirements on the offset of the
underlying open file description after a stream is closed. this was
correctly handled (as a side effect of the unconditional fflush call)
when streams were explicitly closed by fclose, but was not handled
correctly at program exit time, where fflush(0) was being used.
the weak symbol hackery is to pull in __stdio_exit if either of
__toread or __towrite is used, but avoid calling it twice so we don't
have to keep extra state. the new __stdio_exit is a streamlined fflush
variant that avoids performing any unnecessary operations and which
never unlocks the files or open file list, so we can be sure no other
threads write new data to a stream's buffer after it's already
flushed.
| Rich Felker | 2012-06-19 | 3 | -3/+35 |
| * | minor cleanup in fflush | Rich Felker | 2012-06-19 | 1 | -5/+1 |
| * | remove flush hook cruft that was never used from stdio•••there is no need/use for a flush hook. the write function serves this
purpose already. i originally created the hook for implementing mem
streams based on a mistaken reading of posix, and later realized it
wasn't useful but never removed it until now.
| Rich Felker | 2012-06-19 | 2 | -4/+0 |
| * | change stdio_ext __freading/__fwriting semantics slightly•••the old behavior was to only consider a stream to be "reading" or
"writing" if it had buffered, unread/unwritten data. this reportedly
differs from the traditional behavior of these functions, which is
essentially to return true as much as possible without creating the
possibility that both __freading and __fwriting could return true.
gnulib expects __fwriting to return true as soon as a file is opened
write-only, and possibly expects other cases that depend on the
traditional behavior. and since these functions exist mostly for
gnulib (does anything else use them??), they should match the expected
behavior to avoid even more ugly hacks and workarounds...
| Rich Felker | 2012-06-17 | 1 | -2/+2 |
| * | fdopen should set errno when it fails due to invalid mode string | Rich Felker | 2012-06-17 | 1 | -1/+4 |
| * | fix %ls breakage in last printf fix•••signedness issue kept %ls with no precision from working at all
| Rich Felker | 2012-06-08 | 1 | -2/+2 |
| * | fix printf %ls with precision limit over-read issue•••printf was not printing too many characters, but it was reading one
too many wchar_t elements from the input. this could lead to crashes
if running off the page, or spurious failure if the conversion of the
extra wchar_t resulted in EILSEQ.
| Rich Felker | 2012-06-08 | 1 | -2/+2 |
| * | fix scanf bug reading literals after width-limited field•••the field width limit was not being cleared before reading the
literal, causing spurious failures in scanf in cases like "%2d:"
scanning "00:".
| Rich Felker | 2012-06-07 | 1 | -0/+1 |
| * | add some ugly aliases for LSB ABI compatibility•••for some nonsensical reason, glibc's headers use inline functions that
redirect some of the standard functions to ugly nonstandard names (and
likewise for some of their nonstandard functions).
| Rich Felker | 2012-06-02 | 7 | -0/+8 |
| * | avoid using pthread cleanup push/pop in stdio when not needed•••unfortunately in dynamic-linked programs, these macros cause
pthread_self to be initialized, which costs a couple syscalls, and
(much worse) would necessarily fail, crash, and burn on ancient (2.4
and earlier) kernels where setting up a thread pointer does not work.
i'd like to do this in a more generic way that avoids all use of
cleanup push/pop before pthread_self has been successfully called and
avoids ugly if/else constructs like the one in this commit, but for
now, this will suffice.
| Rich Felker | 2012-05-25 | 2 | -6/+14 |
| * | fix uninitialized var in vfwprintf printing 0-prec string•••this could lead to spurious failures of wide printf functions
| Rich Felker | 2012-05-04 | 1 | -1/+1 |
| * | fix really bad breakage in strtol, etc.: failure to accept leading spaces | Rich Felker | 2012-04-19 | 1 | -1/+1 |
| * | fix wide scanf's handling of input failure on %c, and simplify %[ | Rich Felker | 2012-04-17 | 1 | -5/+6 |
| * | fix failure to distinguish input/match failure in wide %[ scanf•••this also includes a related fix for vswscanf's read function, which
was returning a spurious (uninitialized) character for empty strings.
| Rich Felker | 2012-04-17 | 2 | -2/+4 |
| * | fix over-read in %ls with non-wide scanf | Rich Felker | 2012-04-17 | 1 | -0/+1 |
| * | fix broken %s and %[ with no width specifier in wide scanf | Rich Felker | 2012-04-17 | 1 | -3/+7 |
| * | make wide scanf %[ respect width | Rich Felker | 2012-04-17 | 1 | -2/+3 |
| * | fix wide scanf to respect field width for strings | Rich Felker | 2012-04-17 | 1 | -4/+7 |
| * | fix some bugs in scanf %[ handling detected while writing the wide version | Rich Felker | 2012-04-17 | 1 | -4/+4 |
| * | introduce new wide scanf code and remove the last remnants of old scanf•••at this point, strto* and all scanf family functions are using the new
unified integer and floating point parser/converter code.
the wide scanf is largely a wrapper for ordinary byte-based scanf;
since numbers can only contain ascii characters, only strings need to
be handled specially.
| Rich Felker | 2012-04-17 | 4 | -524/+312 |
| * | avoid depending on POSIX symbol in code used from plain C functions | Rich Felker | 2012-04-17 | 1 | -1/+3 |
| * | avoid null pointer dereference on %*p fields in scanf | Rich Felker | 2012-04-17 | 1 | -1/+1 |
| * | also ensure that write buffer is bounded when __stdio_write returns•••assuming other code is correct, this should be a no-op, but better to
be safe...
| Rich Felker | 2012-04-17 | 1 | -0/+1 |
| * | fix buffer overflow in vfprintf on long writes to unbuffered files•••vfprintf temporarily swaps in a local buffer (for the duration of the
operation) when the target stream is unbuffered; this both simplifies
the implementation of functions like dprintf (they don't need their
own buffers) and eliminates the pathologically bad performance of
writing the formatted output with one or more write syscalls per
formatting field.
in cases like dprintf where we are dealing with a virgin FILE
structure, everything worked correctly. however for long-lived files
(like stderr), it's possible that the buffer bounds were already set
for the internal zero-size buffer. on the next write, __stdio_write
would pick up and use the new buffer provided by vfprintf, but the
bound (wend) field was still pointing at the internal zero-size
buffer's end. this in turn allowed unbounded writes to the temporary
buffer.
| Rich Felker | 2012-04-17 | 1 | -1/+2 |
| * | fix %lf, etc. with printf•••the l prefix is redundant/no-op with printf, since default promotions
always promote floats to double; however, it is valid, and printf was
wrongly rejecting it.
| Rich Felker | 2012-04-16 | 1 | -0/+2 |
| * | new scanf implementation and corresponding integer parser/converter•••advantages over the old code:
- correct results for floating point (old code was bogus)
- wide/regular scanf separated so scanf does not pull in wide code
- well-defined behavior on integers that overflow dest type
- support for %[a-b] ranges with %[ (impl-defined by widely used)
- no intermediate conversion of fmt string to wide string
- cleaner, easier to share code with strto* functions
- better standards conformance for corner cases
the old code remains in the source tree, as the wide versions of the
scanf-family functions are still using it. it will be removed when no
longer needed.
| Rich Felker | 2012-04-16 | 3 | -30/+343 |
| * | fix scanf handling of "0" (followed by immediate EOF) with "%x"•••other cases with %x were probably broken too.
I would actually like to go ahead and replace this code in scanf with
calls to the new __intparse framework, but for now this calls for a
quick and unobtrusive fix without the risk of breaking other things.
| Rich Felker | 2012-03-13 | 1 | -11/+6 |
| * | make stdio open, read, and write operations cancellation points•••it should be noted that only the actual underlying buffer flush and
fill operations are cancellable, not reads from or writes to the
buffer. this behavior is compatible with POSIX, which makes all
cancellation points in stdio optional, and it achieves the goal of
allowing cancellation of a thread that's "stuck" on IO (due to a
non-responsive socket/pipe peer, slow/stuck hardware, etc.) without
imposing any measurable performance cost.
| Rich Felker | 2012-02-02 | 3 | -5/+28 |
| * | simplify atexit and fflush-on-exit handling | Rich Felker | 2011-10-14 | 1 | -1/+4 |
| * | don't crash on null strings in printf•••passing null pointer for %s is UB but lots of broken programs do it anyway
| Rich Felker | 2011-09-28 | 1 | -1/+1 |
| * | avoid setting FILE lock count when not using flockfile•••for now this is just a tiny optimization, but later if we support
cancellation from __stdio_read and __stdio_write, it will be necessary
for the recusrive lock count to be zero in order for these functions
to know they are responsible for unlocking the FILE on cancellation.
| Rich Felker | 2011-09-21 | 1 | -1/+1 |
| * | more fmemopen null termination fixes•••null termination is only added when current size grows.
in update modes, null termination is not added if it does not fit
(i.e. it is not allowed to clobber data).
these rules make very little sense, but that's how it goes..
| Rich Felker | 2011-09-04 | 1 | -2/+3 |
| * | fix some fmemopen behaviors•••read should not be allowed past "current size".
append mode should write at "current size", not buffer size.
null termination should not be written except when "current size" grows.
| Rich Felker | 2011-09-04 | 1 | -4/+7 |
| * | fmemopen: fix eof handling, hopefully right this time | Rich Felker | 2011-09-04 | 1 | -3/+4 |
| * | fmemopen fixes•••disallow seek past end of buffer (per posix)
fix position accounting to include data buffered for read
don't set eof flag when no data was requested
| Rich Felker | 2011-09-04 | 1 | -1/+3 |
| * | memstreams: fix incorrect handling of file pos > current size•••the addition is safe and cannot overflow because both operands are
positive when considered as signed quantities.
| Rich Felker | 2011-09-04 | 2 | -4/+4 |
| * | optimize seek function for memory streams | Rich Felker | 2011-09-04 | 2 | -24/+6 |
| * | fix twos complement overflow bug in mem streams boundary check•••the expression -off is not safe in case off is the most-negative
value. instead apply - to base which is known to be non-negative and
bounded within sanity.
| Rich Felker | 2011-09-04 | 2 | -2/+2 |
| * | implement fmemopen•••testing so far has been minimal. may need further work.
| Rich Felker | 2011-09-03 | 1 | -18/+66 |
| * | fix some length calculations in memory streams | Rich Felker | 2011-09-03 | 2 | -3/+3 |
| * | implement open_wmemstream•••not heavily tested, but it seems to be correct, including the odd
behavior that seeking is in terms of wide character count. this
precludes any simple buffering, so we just make the stream unbuffered.
| Rich Felker | 2011-09-03 | 1 | -0/+95 |
| * | implement open_memstream•••this is the first attempt, and may have bugs. only minimal testing has
been performed.
| Rich Felker | 2011-09-03 | 1 | -0/+94 |
| * | fix crash in dns code with new stdio locking code | Rich Felker | 2011-08-01 | 1 | -0/+1 |
| * | add proper fuxed-based locking for stdio•••previously, stdio used spinlocks, which would be unacceptable if we
ever add support for thread priorities, and which yielded
pathologically bad performance if an application attempted to use
flockfile on a key file as a major/primary locking mechanism.
i had held off on making this change for fear that it would hurt
performance in the non-threaded case, but actually support for
recursive locking had already inflicted that cost. by having the
internal locking functions store a flag indicating whether they need
to perform unlocking, rather than using the actual recursive lock
counter, i was able to combine the conditionals at unlock time,
eliminating any additional cost, and also avoid a nasty corner case
where a huge number of calls to ftrylockfile could cause deadlock
later at the point of internal locking.
this commit also fixes some issues with usage of pthread_self
conflicting with __attribute__((const)) which resulted in crashes with
some compiler versions/optimizations, mainly in flockfile prior to
pthread_create.
| Rich Felker | 2011-07-30 | 14 | -39/+44 |
| * | eliminate dependence of perror on printf | Rich Felker | 2011-07-30 | 1 | -10/+5 |
| * | fix logic error in fread•••fread was calling f->read without checking that the file was in
reading mode. this could:
1. crash, if f->read was a null pointer
2. cause unwanted blocking on a terminal already at eof
3. allow reading on a write-only file
| Rich Felker | 2011-07-16 | 1 | -6/+1 |
| * | printf: "if a precision is specified, the '0' flag shall be ignored." | Rich Felker | 2011-07-04 | 1 | -1/+1 |
| * | zero precision with zero value should not inhibit prefix/width printing | Rich Felker | 2011-07-04 | 1 | -1/+4 |
