gmp_snprintf tries to allocate 18 EB on long strings

[Marco Bodrato]

Ciao,

Il Gio, 1 Febbraio 2018 11:32 am, Niels Möller ha scritto:
> I think we should be able to rely on C99 vsnprintf. If need, check for
> correct behavior in configure, and fall back to repl_vsnprintf if

I'd try to reject the return value -1 in configure, where a short string
is tested. Then I'd consider the return value -1 as an unrecoverable error
in snprntffuns.c , avoiding repeated calls in this case.
This should heal the issue spotted by Vincent, on systems with a working
vsnprintf. Onthe other side, I'm not sure repl_vsnprintf can really handle
that extremal cases.

A proposed patch:

-------8<------
diff -r df4f222d213c acinclude.m4
--- a/acinclude.m4      Fri Feb 02 17:00:53 2018 +0100
+++ b/acinclude.m4      Fri Feb 02 17:04:47 2018 +0100
@@ -3729,11 +3729,11 @@

   ret = vsnprintf (buf, 4, fmt, ap);

-  if (strcmp (buf, "hel") != 0)
+  if (ret == -1 || strcmp (buf, "hel") != 0)
     return 1;

   /* allowed return values */
-  if (ret != -1 && ret != 3 && ret != 11)
+  if (ret != 3 && ret != 11)
     return 2;

   return 0;
diff -r df4f222d213c printf/snprntffuns.c
--- a/printf/snprntffuns.c      Fri Feb 02 17:00:53 2018 +0100
+++ b/printf/snprntffuns.c      Fri Feb 02 17:04:47 2018 +0100
@@ -75,10 +75,7 @@
       va_copy (ap, orig_ap);
       ret = vsnprintf (d->buf, avail, fmt, ap);
       if (ret == -1)
-        {
-          ASSERT (strlen (d->buf) == avail-1);
-          ret = avail-1;
-        }
+        return ret;

       step = MIN (ret, avail-1);
       d->size -= step;
@@ -104,7 +101,7 @@
       ret = vsnprintf (p, alloc, fmt, ap);
       __GMP_FREE_FUNC_TYPE (p, alloc, char);
     }
-  while (ret == alloc-1 || ret == -1);
+  while (ret == alloc-1);

   return ret;
 }
-------8<------

Ĝis,
m

-- 
http://bodrato.it/papers/