summaryrefslogtreecommitdiffstats
path: root/lib/libc/stdio (follow)
Commit message (Collapse)AuthorAgeFilesLines
* For the snprintf range check demo, add a (size_t) cast in the right placederaadt2021-04-011-3/+3
| | | | which will satisfy the toughest compiler options
* article fixes; from eddie yousephjmc2021-02-021-3/+3
|
* The printf format string component %n is a nearly turning-complete gadget.deraadt2020-10-272-4/+83
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Largely considered attack surface nowadays. The benefit provided by %n is completely overshadowed by the risk. New uses of %n don't seem to be entering the C ecosystem, as static tools flag them. And everyone points fingers at those people.... The list of programs (and libraries) which use %n is therefore finite and shrinking. Most of the %n use comes out of the GNU ecosystem. jca@ has convinced gnulib to fix their code (so we need to wait for software including gnulib to make new releases). A few libraries have moved ahead of us and become more strict. Some n longer permit %n (for instance, andriod bionic). Others log the occurance. Some log and abort if the output location is W|X (MacOS). Our base tree is clean. The ports tree contains a handful during build time, and unknown count (more) during runtime. We would like to abort programs on any occurance of %n. Or we could be like MacOS, aborting for W|X pages (but would need a system call which can check that condition, and that introduces addressspace knowledge we don't want attackers to know, and may be a poor tradeoff). For now, we can syslog, to increase awareness, and involve more people in the greater community to remove %n uses. [If %n is at the end, use the *printf return value. If it occurs in the middle, split the printf calls into multiples] Hopefully one day, we can just abort() when %n happens. Help us get there? ok jca, plus naddy for ports team
* Spell out n as en for consistency with other parts of the page.tb2020-09-131-3/+3
|
* %lln is percent ell ell n (not dee).claudio2020-09-131-4/+4
| | | | OK deraadt@
* Fix append mode so it always writes to the end and expand regress.millert2020-08-171-2/+7
| | | | OK deraadt@ martijn@
* Fix handling of "w+" mode, we were only truncating for "w".millert2020-08-141-2/+2
| | | | OK martijn@ mpi@
* adjust %n description to vaguely say "pointer", becuase the followingderaadt2020-07-101-4/+6
| | | | | | list of "[size]n" includes "n" on it's own, thereby the "int" case is described correctly. ok schwarze
* As suggested by deraadt@, rewrite most of the printf(3) manual pageschwarze2020-07-101-453/+586
| | | | | | | | | | | | | | to properly show the (differing) syntaxes of all the conversion specifications, and reduce the amount of forward references from the list of modifiers to the list of specifiers. While here, properly explain %lc and %ls. Also correct RETURN VALUES, which incorrectly talked about counting characters while actually bytes are counted. Using feedback from millert@, deraadt@, tb@, and Martin Vahlensieck. OK deraadt@, millert@, and tb@ on intermediate versions of this diff and no objections from jmc@.
* Minor tweaks in the description of %g:schwarze2020-07-061-4/+8
| | | | | | | | 1. Clarify that %G uses %F, not %f; noticed by millert@. 2. Mention that %g originally meant "general notation", see: https://minnie.tuhs.org/cgi-bin/utree.pl?file=V7/usr/src/libc/stdio/doprnt.s Triggered by a somewhat different patch from Ian <ropers at gmail dot com>. Feedback and OK millert@ and jmc@.
* fwide() does not unlock if error was occurred.asou2019-12-031-2/+4
| | | | ok guenther@ and deraadt
* more Version 1 AT&T UNIX history:schwarze2019-09-071-3/+7
| | | | | a few cases that weren't altogether straightforward; tweak and OK jmc@, OK sobrado@
* .Dt same as filenamederaadt2019-08-301-3/+3
|
* mop up stdarg rename; ok deraadtjmc2019-08-304-12/+12
|
* two more syscall == -1 checksderaadt2019-06-291-3/+3
|
* Specify that {v,}asprintf(3) returns precisely -1 on failure,schwarze2019-06-281-7/+11
| | | | | | | | | and that the ret pointer is either unchanged or set to NULL in this case. Since these two functions are not standardized by POSIX, documenting the actual behaviour is the way to go, and the above matches all non-buggy implementations we are aware of. OK millert@ deraadt@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-285-11/+11
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* Simplify the description of [v]snprintf(3), move the descriptionschwarze2019-06-271-19/+18
| | | | | | of the return values to RETURN VALUES, deprecate [v]sprintf(3) and fix a punctuation typo. Joint work with and OK millert@.
* an -> a;jmc2019-06-261-2/+2
|
* The POSIX-compatible way of checking for {v,}{f,s,sn,d}printf(3)deraadt2019-06-261-4/+5
| | | | | failure is with < 0, not the more specific -1 from C discussed at length with millert, nicm, schwarze
* More consistently put remarks about the less useful LC_* categoties,schwarze2019-05-161-3/+13
| | | | | | i.e. those other than LC_CTYPE, into the CAVEATS section, and standardize wording somewhat. OK jmc@
* Fix a comparison in open_memstream not to confuse when a negativeyasuoka2019-05-021-3/+3
| | | | | | value is given for the off. found by nagasaka at IIJ. ok deraadt
* Undo changes to tmpfile.c r1.5.martijn2019-04-262-26/+5
| | | | | | | | | | | | Doing the fchown call causes pledge("tmppath") to be insufficient and the the umask dance may cause race-conditions in multithreaded applications. Also POSIX states the following nowadays: implementations may restrict the permissions, either by clearing the file mode bits or setting them to the value S_IRUSR | S_IWUSR. Encouraging words from tedu@ Standards verification and OK millert@
* in vdprintf(), no need to use the file locking mecanism when usingsemarie2019-03-031-2/+2
| | | | | | | fflush() as the variable is stack based (no possible concurrent access). call directly __sflush() ok visa@ deraadt@
* I am retiring my old email address; replace it with my OpenBSD one.millert2019-01-253-6/+6
|
* For all functions known to be infected by LC_NUMERIC, add shortschwarze2019-01-164-29/+30
| | | | | | | | CAVEATS pointing to the new CAVEATS section in setlocale(3). Make those in wprintf(3) and wscanf(3) more concise since duplicate information is a bad idea. Incompleteness of information originally pointed out by millert@. OK millert@
* Similar CAVEATS regarding LC_NUMERIC as was just committedschwarze2019-01-111-6/+19
| | | | | to wprintf(3) with OK cheloha@ tedu@; also triggered by a smaller diff from Jan Stary <hans at stare dot cz>.
* Clarify that OpenBSD ignores the dangerous category LC_NUMERIC,schwarze2019-01-111-16/+30
| | | | | | and explain best practice for portable programs below CAVEATS. Triggered by a smaller diff from Jan Stary <hans at stare dot cz>. Emphatic OKs from cheloha@ and tedu@.
* Restore the optimization for unbuffered I/O. The buffer needs tomillert2018-12-161-1/+31
| | | | | be reset before each call to __srefill(). Passes new regress. OK semarie@
* Back out rev 1.17 for now, it causes issues with python when buildingmillert2018-12-161-31/+1
| | | | databases/tdb from ports.
* Revisit the optimization for unbuffered I/O. We can use the buffermillert2018-12-141-1/+31
| | | | | | passed to fread(3) directly in the FILE * and call __srefill() in a loop without the memcpy(). This preserves the expected behavior in all cases. OK semarie@, "This is neat" tedu@
* Back out the optimization in rev 1.13, it does not update flags onmillert2018-12-141-16/+1
| | | | EOF or error. This caused a regression in the cPickle python extension.
* some grammar fixes; from dholland@netbsd, -r1.68jmc2018-01-021-6/+6
|
* Fix the return value of fwscanf(3) when encountering an early matchingkevlo2017-12-081-2/+2
| | | | | | failure. This change brings fwscanf(3) back in line with fscanf(3). From FreeBSD; ok deraadt@, millert@
* Consistently .Xr the corresponding wide char functions from char- andschwarze2017-12-0111-26/+37
| | | | | string-handling <stdio.h> functions, like we already do it for <string.h>. Includes a smaller patch from <kshe59 at zoho dot eu>, OK jmc@.
* add missing argument name; from <kshe59 at zoho dot eu>; OK jmc@;schwarze2017-12-011-8/+32
| | | | while here, consistently use .Fo to cure execessive line lengths
* GNU ld has prefixed the contents of .gnu.warning.SYMBOL sectionstb2017-11-285-10/+10
| | | | | | | | with "warning: " since 2003, so the messages themselves need not contain the prefix anymore. From Scott Cheloha ok jca, deraadt
* Use a simple forward search to find '%' in the format string instead oftb2017-11-211-35/+12
| | | | | | | | | | | | | | | | | | | | using mbrtowc(3). Thus, we now treat the format string as a bytestring, not as a multibyte character string. We think that ANSI C made a small error when adding wide characters: The committees essentially replaced "characters" with "wide characters" in the existing printf documentation, which was written before the concept of processing was established. Doing processing on the format string would break some 8-bit format strings in the wild, and that isn't something these committees gave themselves license to do. Based on the "10x printf speedup" commit from android found by tedu: https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3 Thanks to millert and schwarze for digging into the history and testing *printf behavior on other platforms. ok deraadt, millert
* Add error checking to some calls to __find_arguments(). Matches similartb2017-11-161-6/+16
| | | | | | | | changes by schwarze to vfprintf.c r1.71. Cherrypicked from android: https://github.com/aosp-mirror/platform_bionic/commit/5305a4d4a723b06494b93f2df81733b83a0c46d3 ok millert
* add missing HISTORY; based on CVS logs and release announcementsschwarze2017-10-171-2/+7
|
* fmt0 is a wchar_t *, so use %ls to reportderaadt2017-08-151-3/+3
|
* Favor err() over perror() in example.anton2017-07-221-3/+3
| | | | ok schwarze@
* 1. mild deprecation noticeschwarze2017-07-041-3/+11
| | | | | | | | 2. point to getline (suggested by nicm@) 3. cross reference fgetc(3) rather than putc(3) 4. add missing error handling to the example code OK nicm@
* Add dprintf() and vdprintf() RETURN VALUES. OK deraadt@millert2017-06-121-2/+4
|
* Use recallocarray in getdelim/getline to clear memory on buffer resizes,brynet2017-04-131-2/+2
| | | | | | inspired by a similar change to fgetln. ok deraadt millert
* Use recallocarray() to avoid leaving detritus in memory when resizingmillert2017-03-171-2/+3
| | | | the string buffer used by asprintf() and vasprintf(). OK deraadt@
* Use recallocarray() to avoid leaving detritus in memory when resizingderaadt2017-03-174-8/+12
| | | | | | buffers. We don't bother doing this for objects containing pointers, but focus on controllable data. ok millert
* Only reallocate the buffer to fit for medium-size allocations wheremillert2017-03-162-18/+28
| | | | | we expanded the buffer to a single page. The final realloc() can be expensive for large buffers and is not realled needed. OK deraadt@
* When reallocating the buffer for asprintf(), just round up to themillert2017-03-161-6/+5
| | | | | nearest page instead of doubling the old size until it is large enough. OK deraadt@
* Use a macro for the initial length of the buffer instead of 127; OK deraadt@millert2017-03-142-6/+10
|
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.