[Bug 2011326] Re: glibc 2.37: snprintf() on armhf wrongly truncates writes given extremely large size argument
Simon Chopin
2011326 at bugs.launchpad.net
Wed Mar 15 15:01:46 UTC 2023
Marking as Invalid in glibc as it's not possible to trigger the
regression with valid arguments (with the understanding that valid here
is "n is the actual size of the buffer"): if it's the size of the
buffer, by definition it can't overflow the address space.
** Changed in: glibc (Ubuntu)
Status: Triaged => Invalid
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/2011326
Title:
glibc 2.37: snprintf() on armhf wrongly truncates writes given
extremely large size argument
Status in cyrus-imapd package in Ubuntu:
In Progress
Status in glibc package in Ubuntu:
Invalid
Bug description:
The cyrus-imapd package fails to build from source on armhf in lunar
against glibc 2.37. I've tracked this down to a combination of bad
string handling in the cyrus library's API, and a regression in glibc
2.37 vs 2.36 when snprintf() is passed a size argument whose value is
very close to INT_MAX.
Basically, since the API is passed a buffer of unknown size, and then
passes this on to functions that DO safe handling of buffer lengths,
it claims a buffer size of INT_MAX. Because the functions start
filling the buffer before the call to snprintf(), the actual size
argument to snprintf() is slightly less than INT_MAX. This is
unrealistic and incorrect, but technically valid, so snprintf() should
handle it correctly.
Below is a reproducer that demonstrates the bug on armhf.
#include <limits.h>
#include <stdio.h>
#include <string.h>
int main() {
char buf[32];
int res;
res = snprintf(buf, sizeof(buf)-1, "%s", "hello world");
printf("having a normal one. res=%d,buf=%s\n",res,buf);
res = snprintf(buf, INT_MAX, "%s", "hello world");
printf("res=%d but buf=%s\n",res,buf);
}
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cyrus-imapd/+bug/2011326/+subscriptions
More information about the foundations-bugs
mailing list