stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)

This shows up as an assertion failure when sprintf is called with a specifier like "%.8g" and libquadmath is linked in: Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end Fix this by detecting pointer wraparound in __vsprintf_internal and saturate the addition to the end of the address space instead. Reviewed-by: Carlos O'Donell <carlos@redhat.com> Tested-by: Carlos O'Donell <carlos@redhat.com>
2025-08-10 05:03:06 +03:00 · 2023-01-25 08:01:00 +01:00
parent 0674613e66
commit 0d50f477f4
4 changed files with 155 additions and 10 deletions
--- a/include/printf_buffer.h
+++ b/include/printf_buffer.h
@@ -115,17 +115,26 @@ __printf_buffer_has_failed (struct __printf_buffer *buf)
  return buf->mode == __printf_buffer_mode_failed;
 }

+/* Initialization of a buffer, using the memory region from [BASE,
+   END) as the initial buffer contents.  */
+static inline void
+__printf_buffer_init_end (struct __printf_buffer *buf, char *base, char *end,
+                          enum __printf_buffer_mode mode)
+{
+  buf->write_base = base;
+  buf->write_ptr = base;
+  buf->write_end = end;
+  buf->written = 0;
+  buf->mode = mode;
+}
+
 /* Initialization of a buffer, using the memory region from [BASE, BASE +LEN)
   as the initial buffer contents.  LEN can be zero.  */
 static inline void
 __printf_buffer_init (struct __printf_buffer *buf, char *base, size_t len,
                      enum __printf_buffer_mode mode)
 {
-  buf->write_base = base;
-  buf->write_ptr = base;
-  buf->write_end = base + len;
-  buf->written = 0;
-  buf->mode = mode;
+  __printf_buffer_init_end (buf, base, base + len, mode);
 }

 /* Called by printf_buffer_putc for a full buffer.  */