summaryrefslogtreecommitdiffstats
path: root/lib/libc/stdio/vfprintf.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* The printf format string component %n is a nearly turning-complete gadget.deraadt2020-10-271-2/+42
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk. New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people.... The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases). A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS). Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime. We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff). For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses. [If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples] Hopefully one day, we can just abort() when %n happens. Help us get there? ok jca, plus naddy for ports team
* Use a simple forward search to find '%' in the format string instead oftb2017-11-211-35/+12
| | | | | | | | | | | | | | | | | | | | using mbrtowc(3). Thus, we now treat the format string as a bytestring, not as a multibyte character string. We think that ANSI C made a small error when adding wide characters: The committees essentially replaced "characters" with "wide characters" in the existing printf documentation, which was written before the concept of processing was established. Doing processing on the format string would break some 8-bit format strings in the wild, and that isn't something these committees gave themselves license to do. Based on the "10x printf speedup" commit from android found by tedu: https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3 Thanks to millert and schwarze for digging into the history and testing *printf behavior on other platforms. ok deraadt, millert
* Store the return value of mbrtowc() in a size_t, not int.millert2016-08-291-13/+15
| | | | OK schwarze@
* When a precision is specified for a string format use strnlen()millert2016-08-271-17/+7
| | | | to determine the length instead of doing it manually. OK schwarze@
* % is escaped with more %, not backslash.tedu2016-08-171-3/+3
|
* Generate syslog warnings for %s fmt strings NULL to "(null)" conversions.deraadt2016-08-171-2/+18
| | | | | | | | | | | Over time we can repair software which performs this non-standard behaviour, and fix bugs along the way. Let's first find out how bad the situation is by deploying this in snapshots. This type of logging is possible because OpenBSD syslog_r(3) -> sendsyslog(2) is side-effect free enough to be used in the bowels of libc. ok tedu
* Return EOVERFLOW, not ENOMEM for overflow conditions to match POSIX.millert2016-06-061-3/+3
|
* remove a nop assignment that has been #if 0'd since 1996mmcc2016-01-191-5/+1
| | | | ok millert@
* Fix lots of bugs.schwarze2016-01-041-18/+28
| | | | | | | | | | | | | | | | | | | | | 1. When fprintf(fp, "...%ls...", ...) encounters an encoding error, do not destroy all the fp->_flags, which made the file permanently unreadable and unwriteable. 2. Do not change fp->_flags at all in case of encoding errors. Neither the manual nor POSIX ask for it, no other conversions set the error indicator, and it isn't needed because the return value reports failure and must be checked anyway. 3. Detect failure in mbrtowc(3), do not silently treat invalid bytes in the format string as the end of the format string. 4. Detect failure of __find_arguments(), no matter whether due to out of memory conditions or encoding errors, and gracefully fail rather than accessing an invalid pointer. 5. Remove the pointless and slightly dangerous errno = EILSEQ overrides after functions that already do that and are required by the standard to do so. OK jca@ on items 1, 2, and 5. OK millert@ on the complete diff. "Completely brutal mix of bugs." deraadt@
* Remove NULL-checks before free() and a few related dead assignments.mmcc2015-12-281-7/+4
| | | | ok and valuable input from millert@
* Delete the final, inscrutable NOSTRICT and VARARGS lint commentsguenther2015-09-291-2/+1
| | | | ok millert@
* Add framework for resolving (pun intended) libc namespace issues, usingguenther2015-08-311-1/+2
| | | | | | | | | | | | wrapper .h files and asm labels to let internal calls resolve directly and not be overridable or use the PLT. Then, apply that framework to most of the functions in stdio.h, string.h, err.h, and wchar.h. Delete the should-have-been-hidden-all-along _v?(err|warn)[cx]? symbols while here. tests clean on i386, amd64, sparc64, powerpc, and mips64 naming feedback from kettenis@ and millert@ ok kettenis@
* Show the sign for NaN as per POSIX; from Elliott Hughes.daniel2014-12-211-4/+3
| | | | ok martynas@, millert@, doug@
* Add #ifndef NO_PRINTF_PERCENT_N. Since we are fully standardized, wederaadt2014-05-031-1/+5
| | | | | | | don't use disable %n ourselves. But Google's Android libc is based on our libc.... Giving them an easy knob to disable this dangerous feature easily make their job easier without making our job any harder. Request from Elliott @ google
* It's still safe to assumed 'signed' existsguenther2014-03-191-3/+3
|
* Pull in gdtoa.h instead of declaring __dtoa() and __freedtoa() directlyguenther2013-11-011-3/+2
| | | | ok deraadt@
* Fix the combination of 'j' format flag and the XPG "<num>$" modifier.guenther2013-03-021-2/+11
| | | | ok deraadt@ kettenis@ millert@
* Use nl_langinfo(RADIXCHAR) instead of localeconv()->decimal_point inmatthew2012-06-261-2/+5
| | | | | | | | | | | | | | | | printf() and avoid calling it unless needed (i.e., when we have a floating point value to print). This isn't a big concern currently due to our limited locale support and current localeconv() implementation, but it's still technically a data race and implementing POSIX 2008 per-thread locales is likely to make it worse. nl_langinfo() isn't guaranteed by POSIX to be thread-safe either, but at least our current implementation is thread-safe and it's a simpler interface to keep that way. Printing floating point values isn't async-signal-safe anyway due to gdtoa()'s use of malloc(), so that's not an issue. ok deraadt, stsp, millert
* Add support for C99 %ls and %lc format directives, as been documented instsp2011-07-061-5/+146
| | | | | | the vfprintf(3) man page for ages. Based on code from NetBSD/FreeBSD. Prevent ramdisk growth with a maze of #ifdefs. ok robert, no objections deraadt, espie, millert
* Fix out of date comment; no code changemillert2010-12-221-2/+2
|
* The ssizearg member of union arg is pointless if it isn't of type ssize_tguenther2010-10-171-2/+2
| | | | Noted by Claus Assmann
* Fix the handle locking in stdio to use flockfile/funlockfilekurt2009-11-091-3/+14
| | | | | | | | | | | | | internally when and where required. Macros in <stdio.h> are updated to automatically call the underlying functions when the process is threaded to obtain the necessary locking. A private mutex is added to protect __sglue, the internal list of FILE handles, and another to protect the one-time initialization. Some routines in libc that use getc() change to use getc_unlocked() as they're either protected by their own lock or aren't thread-safe routines anyway. committing on behalf of and okay guenther@ now that we have install media space available.
* skip the \' formatting flag, grouping is not implemented; ok deraadt@naddy2009-10-281-1/+5
|
* Back out previous commit, as it caused too much growth for the installguenther2009-10-221-14/+3
| | | | media to fit
* Fix the handle locking in stdio to use flockfile/funlockfileguenther2009-10-211-3/+14
| | | | | | | | | | | | internally when and where required. Macros in <stdio.h> are updated to automatically call the underlying functions when the process is threaded to obtain the necessary locking. A private mutex is added to protect __sglue, the internal list of FILE handles, and another to protect the one-time initialization. Some routines in libc that use getc() change to use getc_unlocked() as they're either protected by their own lock or aren't thread-safe routines anyway. ok kurt@, earlier version tested by sthen@ and jj@
* teach gdtoa & its subroutines that malloc can fail; in which casemartynas2009-10-161-1/+17
| | | | | | ecvt, fcvt, gcvt, *printf, strtof, strtod, strtold act per ieee 1003.1. after these massive changes, remove unused files which would not work now. reported by Maksymilian Arciemowicz; ok theo
* use decimal point from locale. ok millert@martynas2008-10-211-3/+3
|
* - replace dtoa w/ David's gdtoa, version 2008-03-15martynas2008-09-071-161/+195
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | - provide proper dtoa locks - use the real strtof implementation - add strtold, __hdtoa, __hldtoa - add %a/%A support - don't lose precision in printf, don't round to double anymore - implement extended-precision versions of libc functions: fpclassify, isnan, isinf, signbit, isnormal, isfinite, now that the ieee.h is fixed - separate vax versions of strtof, and __hdtoa - add complex math support. added functions: cacos, casin, catan, ccos, csin, ctan, cacosh, casinh, catanh, ccosh, csinh, ctanh, cexp, clog, cabs, cpow, csqrt, carg, cimag, conj, cproj, creal, cacosf, casinf, catanf, ccosf, csinf, ctanf, cacoshf, casinhf, catanhf, ccoshf, csinhf, ctanhf, cexpf, clogf, cabsf, cpowf, csqrtf, cargf, cimagf, conjf, cprojf, crealf - add fdim, fmax, fmin - add log2. (adapted implementation e_log.c. could be more acruate & faster, but it's good enough for now) - remove wrappers & cruft in libm, supposed to work-around mistakes in SVID, etc.; use ieee versions. fixes issues in python 2.6 for djm@ - make _digittoint static - proper definitions for i386, and amd64 in ieee.h - sh, powerpc don't really have extended-precision - add missing definitions for mips64 (quad), m{6,8}k (96-bit) float.h for LDBL_* - merge lead to frac for m{6,8}k, for gdtoa to work properly - add FRAC*BITS & EXT_TO_ARRAY32 definitions in ieee.h, for hdtoa&ldtoa to use - add EXT_IMPLICIT_NBIT definition, which indicates implicit normalization bit - add regression tests for libc: fpclassify and printf - arith.h & gd_qnan.h definitions - update ieee.h: hppa doesn't have quad-precision, hppa64 does - add missing prototypes to gdtoaimp - on 64-bit platforms make sure gdtoa doesn't use a long when it really wants an int - etc., what i may have forgotten... - bump libm major, due to removed&changed symbols - no libc bump, since this is riding on djm's libc major crank from a day ago discussed with / requested by / testing theo, sthen@, djm@, jsg@, merdely@, jsing@, tedu@, brad@, jakemsr@, and others. looks good to millert@ parts of the diff ok kettenis@ this commit does not include: - man page changes
* comment fixesmartynas2008-08-271-7/+7
|
* - add Fmartynas2008-08-261-8/+17
| | | | | | - make inf INF nan NAN comply to standards (eEfFgG) - extend man page bits ok millert@. w/ a man page tweak and ok jmc@
* don't zero-pad special values. ok millert@martynas2008-08-261-1/+3
|
* - handle sign of negative zero. use sign dtoa setsmartynas2008-07-101-11/+6
| | | | | | - remove 'value < 0' cruft, dtoa already clears sign bit for us discussed with, and tested by phessler@ ok millert@, who noticed to remove now-unused variable, and phessler@
* Fix ssize_t vs. size_t mismatchmillert2008-05-161-2/+2
|
* C99 says that for each va_copy() there must be a matching va_end().millert2008-05-161-30/+59
| | | | | Replace the non-portable hackery in __find_arguments() with a union. From FreeBSD.
* Don't forget to va_end() the va_list we get from va_copy(). From FreeBSD.millert2008-05-131-1/+2
|
* add missing header for getpagesizechl2008-05-051-1/+2
| | | | ok espie@
* %hhd was being printed as if %hd was specifiedderaadt2007-11-281-11/+16
| | | | ok millert tedu
* Remove and simplify an impossible case (if *p = memchr(cp, 0, prec),ray2007-01-301-9/+7
| | | | | | | | | | | p - cp cannot be greater than prec). Prevent an integer overflow when printing a string with length greater than INT_MAX. Initial diff from millert@. OK millert@, beck@, and otto@.
* Fix potential int overflow for printf(3) when passing in very largemillert2007-01-161-13/+50
| | | | values for the field width. Adapted from a diff by Christian Biere.
* try first mmap() allocation at pagesize, no need to re-mmap at every powerderaadt2006-11-261-1/+4
| | | | of 2 from 16 to pagesize(); ok otto
* make __dtoa & strtod() thread-safe useing the same method as newer gdtoaderaadt2006-10-291-4/+11
| | | | | codebase. tested mostly by ckuethe and myself. __dtoa() use now requires a call to __freedtoa()
* check mmap for failure. the helper functions using it return -1, buttedu2006-04-291-36/+43
| | | | | | | callers do not yet check since printf() for example is not documented to return an error. some formatting cleanups. mostly ok deraadt millert
* Use long long and intmax_t instead of quad_t throughout. Adapted inmillert2006-01-131-97/+92
| | | | part from FreeBSD.
* Adapt things to use __type_t instead of _BSD_TYPE_T_millert2006-01-061-2/+2
| | | | | Add new sys/_types.h header Include machine/_types.h or sys/_types.h where applicable
* Missing piece from previous commitmillert2005-12-191-1/+2
|
* Add %hhd to *printf and *scanf as well as %z to *scanf. This wasmillert2005-12-191-2/+9
| | | | | sent out and approved about 6 months ago and has been rotting in my tree ever since.
* support %jd from c99, although intmax_t may not be available.tedu2005-09-231-1/+4
| | | | ok deraadt espie kettenis
* zap remaining rcsid.espie2005-08-081-4/+1
| | | | | | Kill old files that are no longer compiled. okay theo
* next citrus step.espie2005-06-171-1/+2
| | | | | reviewed by millert, otto, kevlo, naddy, kettenis... libc+libstdc++ bump
* Fix rearranging of parameters for quad types.espie2005-06-081-11/+24
| | | | | | | Use stateful functions for mbtowc. Use the same loop for scanning and for rescanning the format. okay millert@
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.