From 0d50f477f47ba637b54fb03ac48d769ec4543e8d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Wed, 25 Jan 2023 08:01:00 +0100
Subject: stdio-common: Handle -1 buffer size in __sprintf_chk & co (bug 30039)

This shows up as an assertion failure when sprintf is called with
a specifier like "%.8g" and libquadmath is linked in:

Fatal glibc error: printf_buffer_as_file.c:31
  (__printf_buffer_as_file_commit): assertion failed:
  file->stream._IO_write_ptr <= file->next->write_end

Fix this by detecting pointer wraparound in __vsprintf_internal
and saturate the addition to the end of the address space instead.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Tested-by: Carlos O'Donell <carlos@redhat.com>
---
 debug/Makefile | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'debug/Makefile')

diff --git a/debug/Makefile b/debug/Makefile
index 13f15d1..52f9a78 100644
--- a/debug/Makefile
+++ b/debug/Makefile
@@ -200,6 +200,10 @@ LDFLAGS-tst-backtrace6 = -rdynamic
 
 CFLAGS-tst-ssp-1.c += -fstack-protector-all
 
+# Disable compiler optimizations around vsprintf (the function under test).
+CFLAGS-tst-sprintf-fortify-unchecked.c = \
+  -fno-builtin-vsprintf -fno-builtin-__vsprintf_chk
+
 tests = backtrace-tst \
 	tst-longjmp_chk \
 	test-strcpy_chk \
@@ -211,6 +215,7 @@ tests = backtrace-tst \
 	tst-backtrace5 \
 	tst-backtrace6 \
 	tst-realpath-chk \
+	tst-sprintf-fortify-unchecked \
 	$(tests-all-chk)
 
 tests-time64 += \
-- 
cgit v1.1