This is an archive of the discontinued LLVM Phabricator instance.

Differential D137367

[libc][obvious] fix printf failing to stop on %\0
ClosedPublic

Authored by michaelrj on Nov 3 2022, 3:28 PM.

Details

Reviewers
sivachandra
Commits
rG28e312cbf098: [libc][obvious] fix printf failing to stop on %\0
Summary

Previously, the printf parser would treat "%\0" as a conversion with the
name "\0", and advance past the null byte causing a buffer overflow.
This patch corrects that in both printf and scanf.

Diff Detail

Event Timeline

michaelrj created this revision.Nov 3 2022, 3:28 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptNov 3 2022, 3:28 PM
Herald added subscribers: libc-commits, ecnelises, tschuett. · View Herald Transcript
michaelrj requested review of this revision.Nov 3 2022, 3:28 PM
Harbormaster completed remote builds in B196011: Diff 473055.Nov 3 2022, 3:34 PM
sivachandra accepted this revision.Nov 6 2022, 11:36 PM
This revision is now accepted and ready to land.Nov 6 2022, 11:36 PM
Closed by commit rG28e312cbf098: [libc][obvious] fix printf failing to stop on %\0 (authored by michaelrj). · Explain WhyNov 7 2022, 10:44 AM
This revision was automatically updated to reflect the committed changes.
michaelrj added a commit: rG28e312cbf098: [libc][obvious] fix printf failing to stop on %\0.

Revision Contents

PathSize
libc/
src/
stdio/
printf_core/
11 lines
scanf_core/
9 lines
test/
src/
stdio/
printf_core/
13 lines
scanf_core/
13 lines

Diff 473745

libc/src/stdio/printf_core/parser.cpp

Show First 20 LinesShow All 145 Lines▼ Show 20 Lines#endif // LLVM_LIBC_PRINTF_DISABLE_WRITE_INT
case ('s'): case ('s'):
section.conv_val_ptr = GET_ARG_VAL_SIMPLEST(void *, conv_index); section.conv_val_ptr = GET_ARG_VAL_SIMPLEST(void *, conv_index);
break; break;
default: default:
// if the conversion is undefined, change this to a raw section. // if the conversion is undefined, change this to a raw section.
section.has_conv = false; section.has_conv = false;
break; break;
} }
// If the end of the format section is on the '\0'. This means we need to
// not advance the cur_pos.
if (str[cur_pos] != '\0')
++cur_pos; ++cur_pos;
} else { } else {
// raw section // raw section
section.has_conv = false; section.has_conv = false;
while (str[cur_pos] != '%' && str[cur_pos] != '\0') while (str[cur_pos] != '%' && str[cur_pos] != '\0')
++cur_pos; ++cur_pos;
} }
section.raw_string = {str + starting_pos, cur_pos - starting_pos}; section.raw_string = {str + starting_pos, cur_pos - starting_pos};
return section; return section;
▲ Show 20 LinesShow All 204 Lines▼ Show 20 Lines#endif // LLVM_LIBC_PRINTF_DISABLE_WRITE_INT
conv_size = TYPE_DESC<int>; conv_size = TYPE_DESC<int>;
break; break;
} }
set_type_desc(conv_index, conv_size); set_type_desc(conv_index, conv_size);
if (conv_index == index) if (conv_index == index)
return conv_size; return conv_size;
} }
// If the end of the format section is on the '\0'. This means we need to
// not advance the local_pos.
if (str[local_pos] != '\0')
++local_pos; ++local_pos;
} }
// If there is no size for the requested index, then just guess that it's an // If there is no size for the requested index, then just guess that it's an
// int. // int.
return TYPE_DESC<int>; return TYPE_DESC<int>;
} }
void Parser::args_to_index(size_t index) { void Parser::args_to_index(size_t index) {
Show All 38 Lines

libc/src/stdio/scanf_core/parser.cpp

Show First 20 LinesShow All 68 Lines▼ Show 20 Lines#endif // LLVM_LIBC_SCANF_DISABLE_INDEX_MODE
// If NO_WRITE is not set, then read the next arg as the output pointer. // If NO_WRITE is not set, then read the next arg as the output pointer.
if ((section.flags & FormatFlags::NO_WRITE) == 0) { if ((section.flags & FormatFlags::NO_WRITE) == 0) {
// Since all outputs are pointers, there's no need to distinguish when // Since all outputs are pointers, there's no need to distinguish when
// reading from va_args. They're all the same size and stored the same. // reading from va_args. They're all the same size and stored the same.
section.output_ptr = GET_ARG_VAL_SIMPLEST(void *, conv_index); section.output_ptr = GET_ARG_VAL_SIMPLEST(void *, conv_index);
} }
// If the end of the format section is on the '\0'. This means we need to
// not advance the cur_pos and we should not count this has having a
// conversion.
if (str[cur_pos] != '\0') {
++cur_pos; ++cur_pos;
} else {
section.has_conv = false;
}
// If the format is a bracketed one, then we need to parse out the insides // If the format is a bracketed one, then we need to parse out the insides
// of the brackets. // of the brackets.
if (section.conv_name == '[') { if (section.conv_name == '[') {
constexpr char CLOSING_BRACKET = ']'; constexpr char CLOSING_BRACKET = ']';
constexpr char INVERT_FLAG = '^'; constexpr char INVERT_FLAG = '^';
constexpr char RANGE_OPERATOR = '-'; constexpr char RANGE_OPERATOR = '-';
▲ Show 20 LinesShow All 135 LinesShow Last 20 Lines

libc/test/src/stdio/printf_core/parser_test.cpp

Show First 20 LinesShow All 96 Lines▼ Show 20 LinesTEST(LlvmLibcPrintfParserTest, EvalOneArg) {
expected.raw_string = {str, 2}; expected.raw_string = {str, 2};
expected.conv_val_raw = arg1; expected.conv_val_raw = arg1;
expected.conv_name = 'd'; expected.conv_name = 'd';
ASSERT_PFORMAT_EQ(expected, format_arr[0]); ASSERT_PFORMAT_EQ(expected, format_arr[0]);
} }
TEST(LlvmLibcPrintfParserTest, EvalBadArg) {
__llvm_libc::printf_core::FormatSection format_arr[10];
const char *str = "%\0abc";
int arg1 = 12345;
evaluate(format_arr, str, arg1);
__llvm_libc::printf_core::FormatSection expected;
expected.has_conv = false;
expected.raw_string = {str, 1};
ASSERT_PFORMAT_EQ(expected, format_arr[0]);
}
TEST(LlvmLibcPrintfParserTest, EvalOneArgWithFlags) { TEST(LlvmLibcPrintfParserTest, EvalOneArgWithFlags) {
__llvm_libc::printf_core::FormatSection format_arr[10]; __llvm_libc::printf_core::FormatSection format_arr[10];
const char *str = "%+-0 #d"; const char *str = "%+-0 #d";
int arg1 = 12345; int arg1 = 12345;
evaluate(format_arr, str, arg1); evaluate(format_arr, str, arg1);
__llvm_libc::printf_core::FormatSection expected; __llvm_libc::printf_core::FormatSection expected;
expected.has_conv = true; expected.has_conv = true;
▲ Show 20 LinesShow All 352 LinesShow Last 20 Lines

libc/test/src/stdio/scanf_core/parser_test.cpp

Show First 20 LinesShow All 97 Lines▼ Show 20 LinesTEST(LlvmLibcScanfParserTest, EvalOneArg) {
expected.raw_string = str; expected.raw_string = str;
expected.output_ptr = &arg1; expected.output_ptr = &arg1;
expected.conv_name = 'd'; expected.conv_name = 'd';
ASSERT_SFORMAT_EQ(expected, format_arr[0]); ASSERT_SFORMAT_EQ(expected, format_arr[0]);
} }
TEST(LlvmLibcScanfParserTest, EvalBadArg) {
__llvm_libc::scanf_core::FormatSection format_arr[10];
const char *str = "%\0abc";
int arg1 = 12345;
evaluate(format_arr, str, &arg1);
__llvm_libc::scanf_core::FormatSection expected;
expected.has_conv = false;
expected.raw_string = {str, 1};
ASSERT_SFORMAT_EQ(expected, format_arr[0]);
}
TEST(LlvmLibcScanfParserTest, EvalOneArgWithFlag) { TEST(LlvmLibcScanfParserTest, EvalOneArgWithFlag) {
__llvm_libc::scanf_core::FormatSection format_arr[10]; __llvm_libc::scanf_core::FormatSection format_arr[10];
const char *str = "%*d"; const char *str = "%*d";
// Since NO_WRITE is set, the argument shouldn't be used, but I've included // Since NO_WRITE is set, the argument shouldn't be used, but I've included
// one anyways because in the case that it doesn't work it's better for it to // one anyways because in the case that it doesn't work it's better for it to
// have a real argument to check against. // have a real argument to check against.
int arg1 = 12345; int arg1 = 12345;
evaluate(format_arr, str, &arg1); evaluate(format_arr, str, &arg1);
▲ Show 20 LinesShow All 633 LinesShow Last 20 Lines