On 11/10/2010 11:40 AM, Paul Eggert wrote: >> + unsigned int max_digit_string_len >> + = (suffix >> + ? max_out (suffix) >> + : MAX (INT_STRLEN_BOUND (unsigned int), digits)); > > That should be size_t, not unsigned int, since max_out > returns a size_t, and it could return a value greater than > UINT_MAX. For example, the user might run "csplit -b %4294967296d" > and on a 64-bit host max_out will return UINTMAX + 1. > > While we're on the subject of undefined printf behavior, perhaps > we should be rejecting any attempt to use a printf format like > %4294967296d that uses a width or precision greater than INT_MAX? > POSIX seems to say that such a format should work, but I'll bet > nobody does it right (glibc doesn't).
Actually, the next version of POSIX will require EOVERFLOW if printf is directed to print more than INT_MAX bytes: http://austingroupbugs.net/view.php?id=316 > For safety we might want > to be truncating large widths or precisions to INT_MAX, or > rejecting them. There's also the matter that %*d can only go up to INT_MAX bytes; it would make sense to reject larger widths if we cannot safely rewrite a user's %nnnd,value into %*d,nnn,value. -- Eric Blake [email protected] +1-801-349-2682 Libvirt virtualization library http://libvirt.org
signature.asc
Description: OpenPGP digital signature
