bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Bash printf should diagnose integer overflow


From: Paul Eggert
Subject: Re: Bash printf should diagnose integer overflow
Date: Tue, 19 Mar 2024 20:48:20 -0700
User-agent: Mozilla Thunderbird

On 3/18/24 12:41, Chet Ramey wrote:
I'm not sure what you're using, but that was not my experience on
macOS.

I am using Fedora 39 (the current version) on x86-64. That could explain our differing experiences.

I see several diagnostics (mostly diff output) with "make check" on Fedora 39. The diagnostics can vary from run to run, i.e., they aren't necessarily reproducible. I assumed these were OK because I got 'em before any patches. From my point of view the diff output was sort of random, so I eyeballed it and guessed which outputs mattered and which didn't. Apparently I guessed incorrectly with fw.

At some point I suppose it'd be nice if 'make check' succeeded (exit status 0) or failed (nonzero exit status) so that it is easy for non-experts to tell which diagnostics matter; that's what many other packages do. For now I'd rather focus on the integer overflow issues in Bash, while they're fresh in my mind.


First, the patched version doesn't build on macOS because your patches
don't include <stdbool.h>. Once you get past that, printf goes into an
infinite loop on

printf -v s "%b" ""

in printstr because `fw' is used unititialized (and randomly set to some
ridiculously large value). That and the old test's incorrect expectation
that a field width of 9223372036854775825 would always overflow to -1 (a
left-adjusted field width of 1) instead of being flagged as overflow are
the UB I was talking about.

Yes, I see now. I didn't get that behavior on Fedora, perhaps because the junk in fw was benign there.

Perhaps at some point we could enable more of GCC's static checking to catch silly mistakes like that. Again, a task for another time.


It should be mostly there in the changes I pushed today, once I made it
through the above.

Thanks, I checked the devel branch against what I submitted, found a few errors, and while reviewing all this found and fixed a few other integer-overflow issues in Bash. Proposed patches attached, in "git format-patch" format so you can use "git am" on them. If there's some reason a patch shouldn't be applied please let me know so that I can stop worrying about that subissue.

Attachment: 0001-Improve-use-of-HAVE_C_BOOL.patch
Description: Text Data

Attachment: 0002-Minor-mkseq-clarification-tuning.patch
Description: Text Data

Attachment: 0003-Simplify-mkseq-control.patch
Description: Text Data

Attachment: 0004-printf-M.Nq-should-respect-N-even-if-M-overflows.patch
Description: Text Data

Attachment: 0005-Fix-bug-with-printf-.NQ-when-N-is-large.patch
Description: Text Data

Attachment: 0006-Omit-unnecessary-INT_MAX-checks-in-printf_builtin.patch
Description: Text Data

Attachment: 0007-Omit-unused-typemax.h-macros.patch
Description: Text Data

Attachment: 0008-Omit-unused-stringlist-functions.patch
Description: Text Data

Attachment: 0009-Define-NULL-offsetof-in-bashansi.h.patch
Description: Text Data

Attachment: 0010-Do-not-crash-if-NMEMB-SIZE-overflows-in-alloc.patch
Description: Text Data


reply via email to

[Prev in Thread] Current Thread [Next in Thread]