Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug in printf: skip_args + String.unsafe_get ? #2740

Closed
vicuna opened this issue Apr 6, 2001 · 1 comment
Closed

Bug in printf: skip_args + String.unsafe_get ? #2740

vicuna opened this issue Apr 6, 2001 · 1 comment
Labels

Comments

@vicuna
Copy link

vicuna commented Apr 6, 2001

Original bug ID: 332
Reporter: administrator
Status: closed
Resolution: not a bug
Priority: normal
Severity: minor
Category: ~DO NOT USE (was: OCaml general)

Bug description

Full_Name: Charles Martin
Version: OCaml 3.01
OS: FreeBSD 4.3-RC
Submission from: adsl-63-195-80-23.dsl.snfc21.pacbell.net (63.195.80.23)

The printf functions use the local function skip_args, defined as:

and skip_args j =
match String.unsafe_get format j with
'0' .. '9' | ' ' | '.' | '-' -> skip_args (succ j)
| c -> j

Since this uses String.unsafe_get, it is possible to make garbage reads
past the end of a malformed format string:

Printf.printf "foo%"

Fix: either use String.get, or check that j < String.length format.

@vicuna
Copy link
Author

vicuna commented Apr 8, 2001

Comment author: administrator

Full_Name: Charles Martin
Version: OCaml 3.01
OS: FreeBSD 4.3-RC
Submission from: adsl-63-195-80-23.dsl.snfc21.pacbell.net (63.195.80.23)

The printf functions use the local function skip_args, defined as:

and skip_args j =
match String.unsafe_get format j with
'0' .. '9' | ' ' | '.' | '-' -> skip_args (succ j)
| c -> j

Since this uses String.unsafe_get, it is possible to make garbage reads
past the end of a malformed format string:

Printf.printf "foo%"

Fix: either use String.get, or check that j < String.length format.

I don't think you can make garbage reads past the end of the format
string, since a % character has to be followed by a format type
character, and this is verified by the typechecker before the actual
call to printf:

Printf.printf "foo%";;

Bad format `%'

This is arguably error prone, but since the shape of format strings is
fixed and statically known, the skip_args local function is provably
correct, assuming the typechecker correctly verifies all the format
strings of the program (which is mandatory anyway).

All the best.

Pierre Weis

INRIA, Projet Cristal, Pierre.Weis@inria.fr, http://pauillac.inria.fr/~weis/

@vicuna vicuna closed this as completed Apr 9, 2001
@vicuna vicuna added the bug label Mar 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant