[Bug 1712253] [NEW] swprintf does not guarantee NUL termination

James Lin 1712253 at bugs.launchpad.net
Tue Aug 22 05:38:55 UTC 2017 

Public bug reported:

The C99 specification states for swprintf (section 7.24.2.3):

> The swprintf function is equivalent to fwprintf, except that the
argument s specifies an array of wide characters into which the
generated output is to be written, rather than written to a stream. No
more than n wide characters are written, including a terminating null
wide character, which is always added (unless n is zero).

My interpretation that "always" includes failure, including truncation
error.  However, it appears that swprintf from glibc does NOT NUL-
terminate on truncation. (I am using glibc 2.24 and gcc 6.3.0 20170406
from an Ubuntu 17.04 x64 (desktop) live CD.)

I have attached sample code that exhibits this problem.  The output I
expect is:

ret: -1   buf: 68 0

but instead I get:

ret: -1   buf: 68 cacacaca


(I do get the expected behavior with libc on FreeBSD and macOS.)

** Affects: glibc (Ubuntu)
     Importance: Undecided
         Status: New

** Attachment added: "Sample code"
   https://bugs.launchpad.net/bugs/1712253/+attachment/4936774/+files/test_swprintf.c

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1712253

Title:
  swprintf does not guarantee NUL termination

Status in glibc package in Ubuntu:
  New

Bug description:
  The C99 specification states for swprintf (section 7.24.2.3):

  > The swprintf function is equivalent to fwprintf, except that the
  argument s specifies an array of wide characters into which the
  generated output is to be written, rather than written to a stream. No
  more than n wide characters are written, including a terminating null
  wide character, which is always added (unless n is zero).

  My interpretation that "always" includes failure, including truncation
  error.  However, it appears that swprintf from glibc does NOT NUL-
  terminate on truncation. (I am using glibc 2.24 and gcc 6.3.0 20170406
  from an Ubuntu 17.04 x64 (desktop) live CD.)

  I have attached sample code that exhibits this problem.  The output I
  expect is:

  ret: -1   buf: 68 0

  but instead I get:

  ret: -1   buf: 68 cacacaca

  
  (I do get the expected behavior with libc on FreeBSD and macOS.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1712253/+subscriptions

More information about the foundations-bugs mailing list