summaryrefslogtreecommitdiff
blob: 1dbaa51ec4c932c98268da0b4cdcae6aa5571632 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Attemt to use CVS leads to glibc crash:
$ cvs up
  *** %n in writable segment detected ***

Fixes: https://savannah.nongnu.org/bugs/?35432
Upstream gnulib commit:

From 913c09becd9df89dbd9b9f386e7f35c240d5efe8 Mon Sep 17 00:00:00 2001
From: Bruno Haible <bruno@clisp.org>
Date: Thu, 18 Oct 2007 23:50:42 +0000
Subject: Don't use %n on glibc >= 2.3 systems.

---
(limited to 'lib/vasnprintf.c')

diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
index f563823..5d818aa 100644
--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
@@ -3386,8 +3386,20 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp,
 		  *fbp = dp->conversion;
 #if USE_SNPRINTF
+# if !(__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3))
 		p[1] = '%';
 		p[2] = 'n';
 		p[3] = '\0';
+# else
+		/* On glibc2 systems from glibc >= 2.3 - probably also older
+		   ones - we know that snprintf's returns value conforms to
+		   ISO C 99: the gl_SNPRINTF_DIRECTIVE_N test passes.
+		   Therefore we can avoid using %n in this situation.
+		   On glibc2 systems from 2004-10-18 or newer, the use of %n
+		   in format strings in writable memory may crash the program
+		   (if compiled with _FORTIFY_SOURCE=2), so we should avoid it
+		   in this situation.  */
+		p[1] = '\0';
+# endif
 #else
 		p[1] = '\0';
 #endif
--
cgit v0.9.0.2