https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112013-09-10T16:47:21ZRuby Issue Tracking SystemRuby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417122013-09-10T16:47:21Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Project</strong> changed from <i>14</i> to <i>Ruby master</i></li></ul> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417132013-09-10T16:47:51Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Tracker</strong> changed from <i>Feature</i> to <i>Bug</i></li></ul> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417202013-09-10T21:40:08Zutkarshkukreti (Utkarsh Kukreti)utkarshkukreti@gmail.com
<ul></ul><p>I'm trying to write a patch for this (my first contribution actually), and I'll really appreciate some help.</p>
<p>I've found the cause -- the buffer sent to <code>cvt()</code> function in vsnprintf.c is allocated on the stack with a fixed size of <code>#define BUF (MAXEXP+MAXFRACT+1)</code> <a href="https://github.com/ruby/ruby/blob/5b46f6c602c24c9cdf995914fc6998981f1e53ec/vsnprintf.c#L502" class="external">here</a> which on my machine is <code>1024 + 64 + 1 == 1089</code>, and the data is written to it without any bounds check, which causes the segfault.</p>
<p>I can think of two possible solutions:</p>
<ol>
<li>Limit the precision a user can specify on a call to sprintf to <code>MAXFRACT</code>.</li>
<li>
<code>malloc</code> the actual required memory when it's greater than the defined constant <code>BUF</code>, and <code>free</code> it before returning from the function.</li>
</ol>
<p>I think (2) is the best solution here.</p>
<p>What do you all think? Also, what functions should I use to allocate/free memory inside <code>vsnprintf</code>?</p> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417402013-09-11T22:44:03Zutkarshkukreti (Utkarsh Kukreti)utkarshkukreti@gmail.com
<ul></ul><p>Ok, (1) is not really an option, all other languages I looked at support arbitrary value of precision.</p> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417662013-09-12T19:44:16Zphasis68 (Heesob Park)phasis@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/3955">vsnprintf.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/3955/vsnprintf.patch">vsnprintf.patch</a> added</li></ul><p>I made a patch for this issue.</p> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417672013-09-12T20:07:35Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Open</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>This issue was solved with changeset r42918.<br>
Aaron, thank you for reporting this issue.<br>
Your contribution to Ruby is greatly appreciated.<br>
May Ruby be with you.</p>
<hr>
<p>vsnprintf.c: fix buffer overflow</p>
<ul>
<li>vsnprintf.c (MAXEXP, MAXFRACT): calculate depending on constants in<br>
float.h.</li>
<li>vsnprintf.c (BSD_vfprintf): limit length for cvt() to get rid of<br>
buffer overflow. <a href="/issues/8864">[ruby-core:57023]</a> [Bug <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: sprintf segfaults with too high precision (Closed)" href="https://bugs.ruby-lang.org/issues/8864">#8864</a>]</li>
<li>vsnprintf.c (exponent): make expbuf size more precise.</li>
</ul> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=417702013-09-12T21:57:50Znagachika (Tomoyuki Chikanaga)nagachika00@gmail.com
<ul><li><strong>Backport</strong> set to <i>1.9.3: REQUIRED, 2.0.0: REQUIRED</i></li><li><strong>ruby -v</strong> set to <i>-</i></li></ul> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=418342013-09-15T22:52:01Znagachika (Tomoyuki Chikanaga)nagachika00@gmail.com
<ul><li><strong>Backport</strong> changed from <i>1.9.3: REQUIRED, 2.0.0: REQUIRED</i> to <i>1.9.3: REQUIRED, 2.0.0: DONE</i></li></ul><p>Backported 42908 (for resolve conflict) and 42918 to ruby_2_0_0 at r42944.</p> Ruby master - Bug #8864: sprintf segfaults with too high precisionhttps://bugs.ruby-lang.org/issues/8864?journal_id=426922013-10-31T23:37:08Zusa (Usaku NAKAMURA)usa@garbagecollect.jp
<ul><li><strong>Backport</strong> changed from <i>1.9.3: REQUIRED, 2.0.0: DONE</i> to <i>1.9.3: DONE, 2.0.0: DONE</i></li></ul><p>Backported to ruby_1_9_3 at r43488.</p>