printf: fix an out-of-bounds memory access

* src/printf.c (STRTOX): Don't access memory after a string containing a single quote character. * tests/misc/printf: Add tests for various combinations of single quote characters combined with a numeric format. * THANKS.in: Add bug reporter. * NEWS: Mention the fix. Reported-by: Paul Marinescu <paul.marinescu@imperial.ac.uk>
author: Pádraig Brady <P@draigBrady.com> 2011-05-18 00:01:55 +0100
committer: Pádraig Brady <P@draigBrady.com> 2011-05-18 07:33:04 +0100
commit: beaa94931345271fd288480d7ea952f9551ef991 (patch)
tree: 8ba8a455a5ed0d95d310f40ae48569c847404f3d
parent: 50ca38e523b5434fd6d7b98ed87a310179e9967a (diff)
download: coreutils-beaa94931345271fd288480d7ea952f9551ef991.tar.xz
4 files changed, 30 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index 7a7f7612b..88593ab65 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,11 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 * Noteworthy changes in release ?.? (????-??-??) [?]
 
+** Bug fixes
+
+  printf '%d' '"' no longer accesses out-of-bounds memory in the diagnostic.
+  [bug introduced in sh-utils-1.16]
+
 ** New features
 
   split accepts a new --filter=CMD option.  With it, split filters output
diff --git a/THANKS.in b/THANKS.in
index 315683454..9120ba304 100644
--- a/THANKS.in
+++ b/THANKS.in
@@ -449,6 +449,7 @@ Patrick Mauritz                     oxygene@studentenbude.ath.cx
 Paul D. Smith                       psmith@gnu.org
 Paul Ghaleb                         paul.ghaleb@st.com
 Paul Jarc                           prj@po.cwru.edu
+Paul Marinescu                      paul.marinescu@imperial.ac.uk
 Paul Nevai                          nevai@ops.mps.ohio-state.edu
 Paul Sauer                          paul@alexa.com
 Paul Slootman                       paul@debian.org
diff --git a/src/printf.c b/src/printf.c
index e05947c75..24070b892 100644
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s)						 \
   char *end;								 \
   TYPE val;								 \
                                                                          \
-  if (*s == '\"' || *s == '\'')						 \
+  if ((*s == '\"' || *s == '\'') && *(s + 1))				 \
     {									 \
       unsigned char ch = *++s;						 \
       val = ch;								 \
diff --git a/tests/misc/printf b/tests/misc/printf
index 64047614b..fd1275dfe 100755
--- a/tests/misc/printf
+++ b/tests/misc/printf
@@ -96,4 +96,27 @@ EOF
 
 compare out exp || fail=1
 
+# Verify handling of single quote chars (\' or \")
+
+"$prog" '%d\n' '"a'  >out 2>err   # valid
+"$prog" '%d\n' '"a"' >>out 2>>err # invalid
+"$prog" '%d\n' '"'   >>out 2>>err # invalid
+"$prog" '%d\n' 'a'   >>out 2>>err # invalid
+
+cat <<EOF > exp
+97
+97
+0
+0
+EOF
+
+cat <<EOF > exp_err
+$prog: warning: ": character(s) following character constant have been ignored
+$prog: ": expected a numeric value
+$prog: a: expected a numeric value
+EOF
+
+compare out exp || fail=1
+compare err exp_err || fail=1
+
 Exit $fail
author	Pádraig Brady <P@draigBrady.com>	2011-05-18 00:01:55 +0100
committer	Pádraig Brady <P@draigBrady.com>	2011-05-18 07:33:04 +0100
commit	beaa94931345271fd288480d7ea952f9551ef991 (patch)
tree	8ba8a455a5ed0d95d310f40ae48569c847404f3d
parent	50ca38e523b5434fd6d7b98ed87a310179e9967a (diff)
download	coreutils-beaa94931345271fd288480d7ea952f9551ef991.tar.xz