diff options
| author | Ron Yorston <rmy@pobox.com> | 2017-07-18 09:33:22 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2017-07-18 16:00:38 +0200 |
| commit | 513a2457b65894b10b9fd6aa8753fca59eced08c (patch) | |
| tree | 0276a3c9b9f7752133c8a6d2f5bc18fafbaee5a6 /coreutils | |
| parent | cf5110978ba25002ec5cb46aaae2472eb66001ac (diff) | |
| download | busybox-w32-513a2457b65894b10b9fd6aa8753fca59eced08c.tar.gz busybox-w32-513a2457b65894b10b9fd6aa8753fca59eced08c.tar.bz2 busybox-w32-513a2457b65894b10b9fd6aa8753fca59eced08c.zip | |
printf: fix format string sanity check
One of the tests for printf checks for an invalid bare '%' in the
format string:
$ busybox printf '%' a b c
printf: %: invalid format
On x86_64 a slightly different test doesn't work correctly:
$ busybox printf '%' d e f
printf: invalid number 'd'
printf: invalid number 'e'
printf: invalid number 'f'
On other platforms the test fails randomly depending on how the
arguments are laid out in memory.
There are two places in the code where strchr is used to determine if
a character in the format string is valid. However, strchr also returns
a valid pointer if the character being searched for is the null terminator
thus causing the code to incorrectly suppose that a valid character has
been found.
Add explicit checks for the null terminator.
Signed-off-by: Ron Yorston <rmy@pobox.com>
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'coreutils')
| -rw-r--r-- | coreutils/printf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/coreutils/printf.c b/coreutils/printf.c index bc22e0ee7..65bb5a935 100644 --- a/coreutils/printf.c +++ b/coreutils/printf.c | |||
| @@ -305,7 +305,7 @@ static char **print_formatted(char *f, char **argv, int *conv_err) | |||
| 305 | } | 305 | } |
| 306 | break; | 306 | break; |
| 307 | } | 307 | } |
| 308 | if (strchr("-+ #", *f)) { | 308 | if (*f && strchr("-+ #", *f)) { |
| 309 | ++f; | 309 | ++f; |
| 310 | ++direc_length; | 310 | ++direc_length; |
| 311 | } | 311 | } |
| @@ -348,7 +348,7 @@ static char **print_formatted(char *f, char **argv, int *conv_err) | |||
| 348 | static const char format_chars[] ALIGN1 = "diouxXfeEgGcs"; | 348 | static const char format_chars[] ALIGN1 = "diouxXfeEgGcs"; |
| 349 | char *p = strchr(format_chars, *f); | 349 | char *p = strchr(format_chars, *f); |
| 350 | /* needed - try "printf %" without it */ | 350 | /* needed - try "printf %" without it */ |
| 351 | if (p == NULL) { | 351 | if (p == NULL || *f == '\0') { |
| 352 | bb_error_msg("%s: invalid format", direc_start); | 352 | bb_error_msg("%s: invalid format", direc_start); |
| 353 | /* causes main() to exit with error */ | 353 | /* causes main() to exit with error */ |
| 354 | return saved_argv - 1; | 354 | return saved_argv - 1; |