[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: write past end of buffer in vasnprintf() implementation of %f
From: |
Ben Pfaff |
Subject: |
Re: write past end of buffer in vasnprintf() implementation of %f |
Date: |
Sun, 23 Sep 2018 09:26:49 -0700 |
User-agent: |
Mutt/1.5.23 (2014-03-12) |
On Sun, Sep 23, 2018 at 02:25:50PM +0200, Bruno Haible wrote:
> > The line in convert_to_decimal() cited above is the assignment here:
> >
> > /* Terminate the string. */
> > *d_ptr = '\0';
> >
> > I guess that the space calculation passed to malloc() at the top of the
> > same function is not precise. I don't know whether the right thing to
> > do is to just add one.
>
> Indeed, the right thing is to add just 1.
>
> > This bug was originally reported against GNU PSPP:
> > https://savannah.gnu.org/bugs/?func=detailitem&item_id=54686
> >
> > For this report, I've simplified it to remove the PSPP dependency (and
> > to make sure it isn't somehow a PSPP bug).
>
> I found a smaller test case: 1.6314159265358979e+125 instead of
> 1.24726002000241678234e+269, and added that to the test suite.
> For the record, the issue occurs for all numbers in the ranges
> 10^125 <= arg < 2^416
> 10^134 <= arg < 2^448
> 10^260 <= arg < 2^864
> 10^269 <= arg < 2^896
> ...
Thank you very much for the fix!