aboutsummaryrefslogtreecommitdiff
path: root/stdio-common/vfprintf-internal.c
AgeCommit message (Collapse)AuthorFilesLines
2022-01-01Update copyright dates with scripts/update-copyrightsPaul Eggert1-1/+1
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 7061 files FOO. I then removed trailing white space from math/tgmath.h, support/tst-support-open-dev-null-range.c, and sysdeps/x86_64/multiarch/strlen-vec.S, to work around the following obscure pre-commit check failure diagnostics from Savannah. I don't know why I run into these diagnostics whereas others evidently do not. remote: *** 912-#endif remote: *** 913: remote: *** 914- remote: *** error: lines with trailing whitespace found ... remote: *** error: sysdeps/unix/sysv/linux/statx_cp.c: trailing lines
2021-12-23stdio: Implement %#m for vfprintf and related functionsFlorian Weimer1-5/+20
%#m prints errno as an error constant if one is available, or a decimal number as a fallback. This intends to address the gap that strerrorname_np does not work well with printf for unknown error codes due to its NULL return values in those cases. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2021-11-10Support C2X printf %b, %BJoseph Myers1-17/+31
C2X adds a printf %b format (see <http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2630.pdf>, accepted for C2X), for outputting integers in binary. It also has recommended practice for a corresponding %B format (like %b, but %#B starts the output with 0B instead of 0b). Add support for these formats to glibc. One existing test uses %b as an example of an unknown format, to test how glibc printf handles unknown formats; change that to %v. Use of %b and %B as user-registered format specifiers continues to work (and we already have a test that covers that, tst-printfsz.c). Note that C2X also has scanf %b support, plus support for binary constants starting 0b in strtol (base 0 and 2) and scanf %i (strtol base 0 and scanf %i coming from a previous paper that added binary integer literals). I intend to implement those features in a separate patch or patches; as discussed in the thread starting at <https://sourceware.org/pipermail/libc-alpha/2020-December/120414.html>, they will be more complicated because they involve adding extra public symbols to ensure compatibility with existing code that might not expect 0b constants to be handled by strtol base 0 and 2 and scanf %i, whereas simply adding a new format specifier poses no such compatibility concerns. Note that the actual conversion from integer to string uses existing code in _itoa.c. That code has special cases for bases 8, 10 and 16, probably so that the compiler can optimize division by an integer constant in the code for those bases. If desired such special cases could easily be added for base 2 as well, but that would be an optimization, not actually needed for these printf formats to work. Tested for x86_64 and x86. Also tested with build-many-glibcs.py for aarch64-linux-gnu with GCC mainline to make sure that the test does indeed build with GCC 12 (where format checking warnings are enabled for most of the test).
2021-11-08Fix memmove call in vfprintf-internal.c:group_numberJoseph Myers1-1/+2
A recent GCC mainline change introduces errors of the form: vfprintf-internal.c: In function 'group_number': vfprintf-internal.c:2093:15: error: 'memmove' specified bound between 9223372036854775808 and 18446744073709551615 exceeds maximum object size 9223372036854775807 [-Werror=stringop-overflow=] 2093 | memmove (w, s, (front_ptr -s) * sizeof (CHAR_T)); | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is a genuine bug in the glibc code: s > front_ptr is always true at this point in the code, and the intent is clearly for the subtraction to be the other way round. The other arguments to the memmove call here also appear to be wrong; w and s point just *after* the destination and source for copying the rest of the number, so the size needs to be subtracted to get appropriate pointers for the copying. Adjust the memmove call to conform to the apparent intent of the code, so fixing the -Wstringop-overflow error. Now, if the original code were ever executed, a buffer overrun would result. However, I believe this code (introduced in commit edc1686af0c0fc2eb535f1d38cdf63c1a5a03675, "vfprintf: Reuse work_buffer in group_number", so in glibc 2.26) is unreachable in prior glibc releases (so there is no need for a bug in Bugzilla, no need to consider any backports unless someone wants to build older glibc releases with GCC 12 and no possibility of this buffer overrun resulting in a security issue). work_buffer is 1000 bytes / 250 wide characters. This case is only reachable if an initial part of the number, plus a grouped copy of the rest of the number, fail to fit in that space; that is, if the grouped number fails to fit in the space. In the wide character case, grouping is always one wide character, so even with a locale (of which there aren't any in glibc) grouping every digit, a number would need to occupy at least 125 wide characters to overflow, and a 64-bit integer occupies at most 23 characters in octal including a leading 0. In the narrow character case, the multibyte encoding of the grouping separator would need to be at least 42 bytes to overflow, again supposing grouping every digit, but MB_LEN_MAX is 16. So even if we admit the case of artificially constructed locales not shipped with glibc, given that such a locale would need to use one of the character sets supported by glibc, this code cannot be reached at present. (And POSIX only actually specifies the ' flag for grouping for decimal output, though glibc acts on it for other bases as well.) With binary output (if you consider use of grouping there to be valid), you'd need a 15-byte multibyte character for overflow; I don't know if any supported character set has such a character (if, again, we admit constructed locales using grouping every digit and a grouping separator chosen to have a multibyte encoding as long as possible, as well as accepting use of grouping with binary), but given that we have this code at all (clearly it's not *correct*, or in accordance with the principle of avoiding arbitrary limits, to skip grouping on running out of internal space like that), I don't think it should need any further changes for binary printf support to go in. On the other hand, support for large sizes of _BitInt in printf (see the N2858 proposal) *would* require something to be done about such arbitrary limits (presumably using dynamic allocation in printf again, for sufficiently large _BitInt arguments only - currently only floating-point uses dynamic allocation, and, as previously discussed, that could actually be replaced by bounded allocation given smarter code). Tested with build-many-glibcs.py for aarch64-linux-gnu (GCC mainline). Also tested natively for x86_64.
2021-09-23vfprintf: Unify argument handling in process_argFlorian Weimer1-117/+89
Instead of checking a pointer argument for NULL, use helper macros defined differently in the non-positional and positional cases. This avoids frequent conditional checks and a GCC 12 warning about comparing pointers against NULL which cannot be NULL.
2021-09-23vfprintf: Handle floating-point cases outside of process_arg macroFlorian Weimer1-111/+75
A lot of the code is unique to the positional and non-positional code. Also unify the decimal and hexadecimal cases via the new helper function __printf_fp_spec.
2021-01-02Update copyright dates with scripts/update-copyrightsPaul Eggert1-1/+1
I used these shell commands: ../glibc/scripts/update-copyrights $PWD/../gnulib/build-aux/update-copyright (cd ../glibc && git commit -am"[this commit message]") and then ignored the output, which consisted lines saying "FOO: warning: copyright statement not found" for each of 6694 files FOO. I then removed trailing white space from benchtests/bench-pthread-locks.c and iconvdata/tst-iconv-big5-hkscs-to-2ucs4.c, to work around this diagnostic from Savannah: remote: *** pre-commit check failed ... remote: *** error: lines with trailing whitespace found remote: error: hook declined to update refs/heads/master
2020-07-07Remove most vfprintf width/precision-dependent allocations (bug 14231, bug ↵Joseph Myers1-119/+1
26211). The vfprintf implementation (used for all printf-family functions) contains complicated logic to allocate internal buffers of a size depending on the width and precision used for a format, using either malloc or alloca depending on that size, and with consequent checks for size overflow and allocation failure. As noted in bug 26211, the version of that logic used when '$' plus argument number formats are in use is missing the overflow checks, which can result in segfaults (quite possibly exploitable, I didn't try to work that out) when the width or precision is in the range 0x7fffffe0 through 0x7fffffff (maybe smaller values as well in the wprintf case on 32-bit systems, when the multiplication by sizeof (CHAR_T) can overflow). All that complicated logic in fact appears to be useless. As far as I can tell, there has been no need (outside the floating-point printf code, which does its own allocations) for allocations depending on width or precision since commit 3e95f6602b226e0de06aaff686dc47b282d7cc16 ("Remove limitation on size of precision for integers", Sun Sep 12 21:23:32 1999 +0000). Thus, this patch removes that logic completely, thereby fixing both problems with excessive allocations for large width and precision for non-floating-point formats, and the problem with missing overflow checks with such allocations. Note that this does have the consequence that width and precision up to INT_MAX are now allowed where previously INT_MAX / sizeof (CHAR_T) - EXTSIZ or more would have been rejected, so could potentially expose any other overflows where the value would previously have been rejected by those removed checks. I believe this completely fixes bugs 14231 and 26211. Excessive allocations are still possible in the floating-point case (bug 21127), as are other integer or buffer overflows (see bug 26201). This does not address the cases where a precision larger than INT_MAX (embedded in the format string) would be meaningful without printf's return value overflowing (when it's used with a string format, or %g without the '#' flag, so the actual output will be much smaller), as mentioned in bug 17829 comment 8; using size_t internally for precision to handle that case would be complicated by struct printf_info being a public ABI. Nor does it address the matter of an INT_MIN width being negated (bug 17829 comment 7; the same logic appears a second time in the file as well, in the form of multiplying by -1). There may be other sources of memory allocations with malloc in printf functions as well (bug 24988, bug 16060). From inspection, I think there are also integer overflows in two copies of "if ((width -= len) < 0)" logic (where width is int, len is size_t and a very long string could result in spurious padding being output on a 32-bit system before printf overflows the count of output characters). Tested for x86-64 and x86.
2020-03-20stdio: Remove memory leak from multibyte convertion [BZ#25691]Florian Weimer1-144/+180
This is an updated version of a previous patch [1] with the following changes: - Use compiler overflow builtins on done_add_func function. - Define the scratch +utstring_converted_wide_string using CHAR_T. - Added a testcase and mention the bug report. Both default and wide printf functions might leak memory when manipulate multibyte characters conversion depending of the size of the input (whether __libc_use_alloca trigger or not the fallback heap allocation). This patch fixes it by removing the extra memory allocation on string formatting with conversion parts. The testcase uses input argument size that trigger memory leaks on unpatched code (using a scratch buffer the threashold to use heap allocation is lower). Checked on x86_64-linux-gnu and i686-linux-gnu. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> [1] https://sourceware.org/pipermail/libc-alpha/2017-June/082098.html
2020-01-01Update copyright dates with scripts/update-copyrights.Joseph Myers1-1/+1
2019-09-07Prefer https to http for gnu.org and fsf.org URLsPaul Eggert1-1/+1
Also, change sources.redhat.com to sourceware.org. This patch was automatically generated by running the following shell script, which uses GNU sed, and which avoids modifying files imported from upstream: sed -ri ' s,(http|ftp)(://(.*\.)?(gnu|fsf|sourceware)\.org($|[^.]|\.[^a-z])),https\2,g s,(http|ftp)(://(.*\.)?)sources\.redhat\.com($|[^.]|\.[^a-z]),https\2sourceware.org\4,g ' \ $(find $(git ls-files) -prune -type f \ ! -name '*.po' \ ! -name 'ChangeLog*' \ ! -path COPYING ! -path COPYING.LIB \ ! -path manual/fdl-1.3.texi ! -path manual/lgpl-2.1.texi \ ! -path manual/texinfo.tex ! -path scripts/config.guess \ ! -path scripts/config.sub ! -path scripts/install-sh \ ! -path scripts/mkinstalldirs ! -path scripts/move-if-change \ ! -path INSTALL ! -path locale/programs/charmap-kw.h \ ! -path po/libc.pot ! -path sysdeps/gnu/errlist.c \ ! '(' -name configure \ -execdir test -f configure.ac -o -f configure.in ';' ')' \ ! '(' -name preconfigure \ -execdir test -f preconfigure.ac ';' ')' \ -print) and then by running 'make dist-prepare' to regenerate files built from the altered files, and then executing the following to cleanup: chmod a+x sysdeps/unix/sysv/linux/riscv/configure # Omit irrelevant whitespace and comment-only changes, # perhaps from a slightly-different Autoconf version. git checkout -f \ sysdeps/csky/configure \ sysdeps/hppa/configure \ sysdeps/riscv/configure \ sysdeps/unix/sysv/linux/csky/configure # Omit changes that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/powerpc/powerpc64/ppc-mcount.S: trailing lines git checkout -f \ sysdeps/powerpc/powerpc64/ppc-mcount.S \ sysdeps/unix/sysv/linux/s390/s390-64/syscall.S # Omit change that caused a pre-commit check to fail like this: # remote: *** error: sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S: last line does not end in newline git checkout -f sysdeps/sparc/sparc64/multiarch/memcpy-ultra3.S
2019-06-27Prepare vfprintf to use __printf_fp/__printf_fphex with float128 argGabriel F. T. Gomes1-13/+60
On powerpc64le, long double can currently take two formats: the same as double (-mlong-double-64) or IBM Extended Precision (default with -mlong-double-128 or explicitly with -mabi=ibmlongdouble). The internal implementation of printf-like functions is aware of these possibilities and properly parses floating-point values from the variable arguments, before making calls to __printf_fp and __printf_fphex. These functions are also aware of the format possibilities and know how to convert both formats to string. When library support for TS 18661-3 was added to glibc, __printf_fp and __printf_fphex were extended with support for an additional type (__float128/_Float128) with a different format (binary128). Now that powerpc64le is getting support for its third long double format, and taking into account that this format is the same as the format of __float128/_Float128, this patch extends __vfprintf_internal to properly call __printf_fp and __printf_fphex with this new format. Tested for powerpc64le (with additional patches to actually enable the use of these preparations) and for x86_64. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2019-02-22Break some lines before not after operators.Joseph Myers1-2/+2
The GNU Coding Standards specify that line breaks in expressions should go before an operator, not after one. This patch fixes various code to do this. It only changes code that appears to be mostly following GNU style anyway, not files and directories with substantially different formatting. It is not exhaustive even for files using GNU style (for example, changes to sysdeps files are deferred for subsequent cleanups). Some files changed are shared with gnulib, but most are specific to glibc. Changes were made manually, with places to change found by grep (so some cases, e.g. where the operator was followed by a comment at end of line, are particularly liable to have been missed by grep, but I did include cases where the operator was followed by backslash-newline). This patch generally does not attempt to address other coding style issues in the expressions changed (for example, missing spaces before '(', or lack of parentheses to ensure indentation of continuation lines properly reflects operator precedence). Tested for x86_64, and with build-many-glibcs.py. * benchtests/bench-memmem.c (simple_memmem): Break lines before rather than after operators. * benchtests/bench-skeleton.c (TIMESPEC_AFTER): Likewise. * crypt/md5.c (md5_finish_ctx): Likewise. * crypt/sha256.c (__sha256_finish_ctx): Likewise. * crypt/sha512.c (__sha512_finish_ctx): Likewise. * elf/cache.c (load_aux_cache): Likewise. * elf/dl-load.c (open_verify): Likewise. * elf/get-dynamic-info.h (elf_get_dynamic_info): Likewise. * elf/readelflib.c (process_elf_file): Likewise. * elf/rtld.c (dl_main): Likewise. * elf/sprof.c (generate_call_graph): Likewise. * hurd/ctty-input.c (_hurd_ctty_input): Likewise. * hurd/ctty-output.c (_hurd_ctty_output): Likewise. * hurd/dtable.c (reauth_dtable): Likewise. * hurd/getdport.c (__getdport): Likewise. * hurd/hurd/signal.h (_hurd_interrupted_rpc_timeout): Likewise. * hurd/hurd/sigpreempt.h (HURD_PREEMPT_SIGNAL_P): Likewise. * hurd/hurdfault.c (_hurdsig_fault_catch_exception_raise): Likewise. * hurd/hurdioctl.c (fioctl): Likewise. * hurd/hurdselect.c (_hurd_select): Likewise. * hurd/hurdsig.c (_hurdsig_abort_rpcs): Likewise. (STOPSIGS): Likewise. * hurd/hurdstartup.c (_hurd_startup): Likewise. * hurd/intr-msg.c (_hurd_intr_rpc_mach_msg): Likewise. * hurd/lookup-retry.c (__hurd_file_name_lookup_retry): Likewise. * hurd/msgportdemux.c (msgport_server): Likewise. * hurd/setauth.c (_hurd_setauth): Likewise. * include/features.h (__GLIBC_USE_DEPRECATED_SCANF): Likewise. * libio/libioP.h [IO_DEBUG] (CHECK_FILE): Likewise. * locale/programs/ld-ctype.c (set_class_defaults): Likewise. * localedata/tests-mbwc/tst_swscanf.c (tst_swscanf): Likewise. * login/tst-utmp.c (do_check): Likewise. (simulate_login): Likewise. * mach/lowlevellock.h (lll_lock): Likewise. (lll_trylock): Likewise. * math/test-fenv.c (ALL_EXC): Likewise. * math/test-fenvinline.c (ALL_EXC): Likewise. * misc/sys/cdefs.h (__attribute_deprecated_msg__): Likewise. * nis/nis_call.c (__do_niscall3): Likewise. * nis/nis_callback.c (cb_prog_1): Likewise. * nis/nis_defaults.c (searchaccess): Likewise. * nis/nis_findserv.c (__nis_findfastest_with_timeout): Likewise. * nis/nis_ismember.c (internal_ismember): Likewise. * nis/nis_local_names.c (nis_local_principal): Likewise. * nis/nss_nis/nis-rpc.c (_nss_nis_getrpcbyname_r): Likewise. * nis/nss_nisplus/nisplus-netgrp.c (_nss_nisplus_getnetgrent_r): Likewise. * nis/ypclnt.c (yp_match): Likewise. (yp_first): Likewise. (yp_next): Likewise. (yp_master): Likewise. (yp_order): Likewise. * nscd/hstcache.c (cache_addhst): Likewise. * nscd/initgrcache.c (addinitgroupsX): Likewise. * nss/nss_compat/compat-pwd.c (copy_pwd_changes): Likewise. (internal_getpwuid_r): Likewise. * nss/nss_compat/compat-spwd.c (copy_spwd_changes): Likewise. * posix/glob.h (__GLOB_FLAGS): Likewise. * posix/regcomp.c (peek_token): Likewise. (peek_token_bracket): Likewise. (parse_expression): Likewise. * posix/regexec.c (sift_states_iter_mb): Likewise. (check_node_accept_bytes): Likewise. * posix/tst-spawn3.c (do_test): Likewise. * posix/wordexp-test.c (testit): Likewise. * posix/wordexp.c (parse_tilde): Likewise. (exec_comm): Likewise. * posix/wordexp.h (__WRDE_FLAGS): Likewise. * resource/vtimes.c (TIMEVAL_TO_VTIMES): Likewise. * setjmp/sigjmp.c (__sigjmp_save): Likewise. * stdio-common/printf_fp.c (__printf_fp_l): Likewise. * stdio-common/tst-fileno.c (do_test): Likewise. * stdio-common/vfprintf-internal.c (vfprintf): Likewise. * stdlib/strfmon_l.c (__vstrfmon_l_internal): Likewise. * stdlib/strtod_l.c (round_and_return): Likewise. (____STRTOF_INTERNAL): Likewise. * stdlib/tst-strfrom.h (TEST_STRFROM): Likewise. * string/strcspn.c (STRCSPN): Likewise. * string/test-memmem.c (simple_memmem): Likewise. * termios/tcsetattr.c (tcsetattr): Likewise. * time/alt_digit.c (_nl_parse_alt_digit): Likewise. * time/asctime.c (asctime_internal): Likewise. * time/strptime_l.c (__strptime_internal): Likewise. * time/sys/time.h (timercmp): Likewise. * time/tzfile.c (__tzfile_compute): Likewise.
2019-01-01Update copyright dates with scripts/update-copyrights.Joseph Myers1-1/+1
* All files with FSF copyright notices: Update copyright dates using scripts/update-copyrights. * locale/programs/charmap-kw.h: Regenerated. * locale/programs/locfile-kw.h: Likewise.
2018-12-05Use PRINTF_LDBL_IS_DBL instead of __ldbl_is_dbl.Zack Weinberg1-4/+0
After all that prep work, nldbl-compat.c can now use PRINTF_LDBL_IS_DBL instead of __no_long_double to control the behavior of printf-like functions; this is the last thing we needed __no_long_double for, so it can go away entirely. Tested for powerpc and powerpc64le.
2018-12-05Use PRINTF_FORTIFY instead of _IO_FLAGS2_FORTIFY (bug 11319)Zack Weinberg1-2/+0
The _chk variants of all of the printf functions become much simpler. This is the last thing that we needed _IO_acquire_lock_clear_flags2 for, so it can go as well. I took the opportunity to make the headers included and the names of all local variables consistent across all the affected files. Since we ultimately want to get rid of __no_long_double as well, it must be possible to get all of the nontrivial effects of the _chk functions by calling the _internal functions with appropriate flags. For most of the __(v)xprintf_chk functions, this is covered by PRINTF_FORTIFY plus some up-front argument checks that can be duplicated. However, __(v)sprintf_chk installs a custom jump table so that it can crash instead of overflowing the output buffer. This functionality is moved to __vsprintf_internal, which now has a 'maxlen' argument like __vsnprintf_internal; to get the unsafe behavior of ordinary (v)sprintf, pass -1 for that argument. obstack_printf_chk and obstack_vprintf_chk are no longer in the same file. As a side-effect of the unification of both fortified and non-fortified vdprintf initialization, this patch fixes bug 11319 for __dprintf_chk and __vdprintf_chk, which was previously fixed only for dprintf and vdprintf by the commit commit 7ca890b88e6ab7624afb1742a9fffb37ad5b3fc3 Author: Ulrich Drepper <drepper@redhat.com> Date: Wed Feb 24 16:07:57 2010 -0800 Fix reporting of I/O errors in *dprintf functions. This patch adds a test case to avoid regressions. Tested for powerpc and powerpc64le.
2018-12-05Add __v*printf_internal with flags argumentsZack Weinberg1-0/+2364
There are a lot more printf variants than there are scanf variants, and the code for setting up and tearing down their custom FILE variants around the call to __vf(w)printf is more complicated and variable. Therefore, I have added _internal versions of all the v*printf variants, rather than introducing helper routines so that they can all directly call __vf(w)printf_internal, as was done with scanf. As with the scanf changes, in this patch the _internal functions still look at the environmental mode bits and all callers pass 0 for the flags parameter. Several of the affected public functions had _IO_ name aliases that were not exported (but, in one case, appeared in libio.h anyway); I was originally planning to leave them as aliases to avoid having to touch internal callers, but it turns out ldbl_*_alias only work for exported symbols, so they've all been removed instead. It also turns out there were hardly any internal callers. _IO_vsprintf and _IO_vfprintf *are* exported, so those two stick around. Summary for the changes to each of the affected symbols: _IO_vfprintf, _IO_vsprintf: All internal calls removed, thus the internal declarations, as well as uses of libc_hidden_proto and libc_hidden_def, were also removed. The external symbol is now exposed via uses of ldbl_strong_alias to __vfprintf_internal and __vsprintf_internal, respectively. _IO_vasprintf, _IO_vdprintf, _IO_vsnprintf, _IO_vfwprintf, _IO_vswprintf, _IO_obstack_vprintf, _IO_obstack_printf: All internal calls removed, thus declaration in internal headers were also removed. They were never exported, so there are no aliases tying them to the internal functions. I.e.: entirely gone. __vsnprintf: Internal calls were always preceded by macros such as #define __vsnprintf _IO_vsnprintf, and #define __vsnprintf vsnprintf The macros were removed and their uses replaced with calls to the new internal function __vsnprintf_internal. Since there were no internal calls, the internal declaration was also removed. The external symbol is preserved with ldbl_weak_alias to ___vsnprintf. __vfwprintf: All internal calls converted into calls to __vfwprintf_internal, thus the internal declaration was removed. The function is now a wrapper that calls __vfwprintf_internal. The external symbol is preserved. __vswprintf: Similarly, but no external symbol. __vasprintf, __vdprintf, __vfprintf, __vsprintf: New internal wrappers. Not exported. vasprintf, vdprintf, vfprintf, vsprintf, vsnprintf, vfwprintf, vswprintf, obstack_vprintf, obstack_printf: These functions used to be aliases to the respective _IO_* function, they are now aliases to their respective __* functions. Tested for powerpc and powerpc64le.