[vbox-dev] Proposed patch that fixes buffer overflow in dprintf.
Klaus Espenlaub
klaus.espenlaub at oracle.com
Wed Nov 30 18:05:24 GMT 2016
Hi Denis,
wondering if the bug is truly in the code or if gcc is pretending there
is a problem. Can you explain a little more?
I'm susprised that gcc only sees a problem in the width handling, but
not in the immediately following prec handling which has the same issue.
Because in the width case it's rather obvious that f is at most 7 chars
past the beginning of format, which is 64 chars big. So the problem is
at best theoretical from how I read it.
Klaus
On 28.11.2016 10:11, Denis Medvedev wrote:
> Dear developers,
>
> I am proposing the following patch under MIT license. It fixes buffer
> overflow in dtprintf. That error does not allow compilation
>
> of VirtualBox with strict gcc checks.
>
>
> diff --git
> a/VirtualBox/src/VBox/ExtPacks/VBoxDTrace/onnv/lib/libdtrace/common/dt_printf.c
> b/VirtualBox/src/VBox/ExtPacks/VBoxDTrace/onnv/lib/libdtrace/common/dt_printf.c
>
> index 18edcc0..906ec9b 100644
> ---
> a/VirtualBox/src/VBox/ExtPacks/VBoxDTrace/onnv/lib/libdtrace/common/dt_printf.c
>
> +++
> b/VirtualBox/src/VBox/ExtPacks/VBoxDTrace/onnv/lib/libdtrace/common/dt_printf.c
>
> @@ -1605,7 +1605,7 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE *fp,
> const dt_pfargv_t *pfv,
> width = 0;
>
> if (width != 0)
> - f += snprintf(f,(((sizeof
> (format)-(f-format))>0) ? sizeof(format) - (f-format):0), "%d",
> ABS(width));
> + f += snprintf(f, sizeof (format) - (f - format),
> "%d", ABS(width));
>
> if (prec > 0)
> f += snprintf(f, sizeof (format) - (f - format),
> ".%d", prec);
More information about the vbox-dev
mailing list