From: Ron Yorston Date: Tue, 18 Jul 2017 08:33:22 +0000 (+0100) Subject: printf: fix format string sanity check X-Git-Tag: 1_28_0~365 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=513a2457b65894b10b9fd6aa8753fca59eced08c;p=oweals%2Fbusybox.git printf: fix format string sanity check One of the tests for printf checks for an invalid bare '%' in the format string: $ busybox printf '%' a b c printf: %: invalid format On x86_64 a slightly different test doesn't work correctly: $ busybox printf '%' d e f printf: invalid number 'd' printf: invalid number 'e' printf: invalid number 'f' On other platforms the test fails randomly depending on how the arguments are laid out in memory. There are two places in the code where strchr is used to determine if a character in the format string is valid. However, strchr also returns a valid pointer if the character being searched for is the null terminator thus causing the code to incorrectly suppose that a valid character has been found. Add explicit checks for the null terminator. Signed-off-by: Ron Yorston Signed-off-by: Denys Vlasenko --- diff --git a/coreutils/printf.c b/coreutils/printf.c index bc22e0ee7..65bb5a935 100644 --- a/coreutils/printf.c +++ b/coreutils/printf.c @@ -305,7 +305,7 @@ static char **print_formatted(char *f, char **argv, int *conv_err) } break; } - if (strchr("-+ #", *f)) { + if (*f && strchr("-+ #", *f)) { ++f; ++direc_length; } @@ -348,7 +348,7 @@ static char **print_formatted(char *f, char **argv, int *conv_err) static const char format_chars[] ALIGN1 = "diouxXfeEgGcs"; char *p = strchr(format_chars, *f); /* needed - try "printf %" without it */ - if (p == NULL) { + if (p == NULL || *f == '\0') { bb_error_msg("%s: invalid format", direc_start); /* causes main() to exit with error */ return saved_argv - 1;