Hello Walter,
Le 17/02/2016 22:13, walter harms a écrit :
Jakub Wilk reported a possible integer overflow in make_message example :
The example in the printf(3) manpages looks like this (with boring parts
omitted):
int n;
/* ... */
n = vsnprintf(p, size, fmt, ap);
/* ... */
if (n < 0) {
/* ... */
return NULL;
}
/* ... */
size = n + 1;
But vsnprintf could return INT_MAX, which would then cause "n + 1" to
overflow.
(AFAICS, the glibc vsnprintf implementation never returns INT_MAX, but
it could in principle.)
I'd suggest changing "n < 0" to "n < 0 || n == INT_MAX".
the bug is real, the type of size should be size_t (in my original post it was
int)
That would make the error check useless, so we would need to store
the vsnprintf return value in an int.
The problem is that the idea was to have a simple example and cluttering
it with error checks will make it hard to read. How many people would
notice that size_t is unsigned and n is signed ? (i added an comment).
IMHO we should simply add a sentence that "examples are examples and
will not check for every possible error condition."
I agree with the general idea: the examples must remain so. They must
also be correct. Tough choice!
I will not put a note on this page about it, nor on the other, too much
for so little.
man-pages.7 specifically requests:
Example programs shoulds be fairly short (preferably less than 100
lines;
Ideally less than 50 lines).
Example programs shoulds do error checking after-system calls and
library function calls.
So I will do a patch with your new corrected version that is very readable.
Thanks a lot for your help.
Regards,
--
Stéphane Aulery
