Date: Wed, 13 Dec 2000 05:19:51 -0800 (PST) From: luddes@hotmail.com To: freebsd-gnats-submit@FreeBSD.org Subject: misc/23521: NULL pointer write in vfprintf code Message-ID: <200012131319.eBDDJps70162@freefall.freebsd.org> Resent-Message-ID: <200012131320.eBDDK1670193@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 23521 >Category: misc >Synopsis: NULL pointer write in vfprintf code >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Dec 13 05:20:01 PST 2000 >Closed-Date: >Last-Modified: >Originator: Ludde >Release: 4.1.1 >Organization: >Environment: FreeBSD matchbox.dumle.nu 4.1.1-RELEASE FreeBSD 4.1.1-RELEASE #3: Wed Dec 6 19:34:33 CET 2000 root@matchbox.dumle.nu:/usr/src/sys/compile/MATCHBOX i386 >Description: This code crashes because of a NULL pointer write inside the vfprintf code. It should print the 8th argument as an integer. printf("%8$d", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); GDB output: 0x280d49e0 in vfprintf () from /usr/lib/libc.so.4 (gdb) x/i $eip 0x280d49e0 <vfprintf+10028>: mov %eax,(%edx) (gdb) info reg edx edx 0x0 0 >How-To-Repeat: Compile a C program with this contents: int main() { printf("%8$d", 0, 0, 0, 0, 0, 0, 0, 0, 0, 0); } and run it >Fix: Perhaps the memory allocation failure is at: if (tablemax >= STATIC_ARG_TBL_SIZE) { *argtable = (void **) malloc (sizeof (void *) * (tablemax + 1)); } >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200012131319.eBDDJps70162>