[Bug 2011326] Re: glibc 2.37: snprintf() on armhf wrongly truncates writes given extremely large size argument

Michael Hudson-Doyle 2011326 at bugs.launchpad.net
Sun Mar 12 21:01:24 UTC 2023 

I can't find language in the standard that says that, the description of
snprintf just says that output won't be written past the specified size.
Is there some more generic section that covers this? Obviously causing
output to be written beyond the actual size of the array is undefined
behaviour. I'm not going to argue this is good code (sprintf is bad ->
let's call snprintf with INT_MAX is some impressive thinking).

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2011326

Title:
  glibc 2.37: snprintf() on armhf wrongly truncates writes given
  extremely large size argument

Status in glibc package in Ubuntu:
  New

Bug description:
  The cyrus-imapd package fails to build from source on armhf in lunar
  against glibc 2.37.  I've tracked this down to a combination of bad
  string handling in the cyrus library's API, and a regression in glibc
  2.37 vs 2.36 when snprintf() is passed a size argument whose value is
  very close to INT_MAX.

  Basically, since the API is passed a buffer of unknown size, and then
  passes this on to functions that DO safe handling of buffer lengths,
  it claims a buffer size of INT_MAX.  Because the functions start
  filling the buffer before the call to snprintf(), the actual size
  argument to snprintf() is slightly less than INT_MAX.  This is
  unrealistic and incorrect, but technically valid, so snprintf() should
  handle it correctly.

  Below is a reproducer that demonstrates the bug on armhf.

  #include <limits.h>
  #include <stdio.h>
  #include <string.h>

  int main() {

      char buf[32];
      int res;

      res = snprintf(buf, sizeof(buf)-1, "%s", "hello world");

      printf("having a normal one. res=%d,buf=%s\n",res,buf);

      res = snprintf(buf, INT_MAX, "%s", "hello world");

      printf("res=%d but buf=%s\n",res,buf);
  }

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/2011326/+subscriptions

More information about the foundations-bugs mailing list