Mantis Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000332OCamlOCaml generalpublic2001-04-06 19:382001-04-09 09:42
Reporteradministrator 
Assigned To 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionno change required 
PlatformOSOS Version
Product Version 
Target VersionFixed in Version 
Summary0000332: Bug in printf: skip_args + String.unsafe_get ?
DescriptionFull_Name: Charles Martin
Version: OCaml 3.01
OS: FreeBSD 4.3-RC
Submission from: adsl-63-195-80-23.dsl.snfc21.pacbell.net (63.195.80.23)


The printf functions use the local function skip_args, defined as:

  and skip_args j =
    match String.unsafe_get format j with
      '0' .. '9' | ' ' | '.' | '-' -> skip_args (succ j)
    | c -> j

Since this uses String.unsafe_get, it is possible to make garbage reads
past the end of a malformed format string:

    Printf.printf "foo%"

Fix: either use String.get, or check that j < String.length format.

TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0002245)
administrator (administrator)
2001-04-08 22:45

> Full_Name: Charles Martin
> Version: OCaml 3.01
> OS: FreeBSD 4.3-RC
> Submission from: adsl-63-195-80-23.dsl.snfc21.pacbell.net (63.195.80.23)
>
>
> The printf functions use the local function skip_args, defined as:
>
> and skip_args j =
> match String.unsafe_get format j with
> '0' .. '9' | ' ' | '.' | '-' -> skip_args (succ j)
> | c -> j
>
> Since this uses String.unsafe_get, it is possible to make garbage reads
> past the end of a malformed format string:
>
> Printf.printf "foo%"
>
> Fix: either use String.get, or check that j < String.length format.

I don't think you can make garbage reads past the end of the format
string, since a % character has to be followed by a format type
character, and this is verified by the typechecker before the actual
call to printf:

# Printf.printf "foo%";;
Bad format `%'

This is arguably error prone, but since the shape of format strings is
fixed and statically known, the skip_args local function is provably
correct, assuming the typechecker correctly verifies all the format
strings of the program (which is mandatory anyway).

All the best.

Pierre Weis

INRIA, Projet Cristal, Pierre.Weis@inria.fr, http://pauillac.inria.fr/~weis/ [^]



- Issue History
Date Modified Username Field Change
2005-11-18 10:13 administrator New Issue


Copyright © 2000 - 2011 MantisBT Group
Powered by Mantis Bugtracker