Hi Todd, Todd C. Miller wrote on Tue, Nov 14, 2017 at 09:09:13AM -0700: > On Tue, 14 Nov 2017 09:26:47 +0100, Theo Buehler wrote:
>> If we only support UTF-8 and ASCII, we do not need complicated multibyte >> decoding to recognize a '%' in the format string. >> >> In his commit message, enh claims that there is a 10x speedup. In my own >> benchmarking on amd64, a speedup between 1.5x and 5x seems to be more >> realistic. The code does get significantly simpler, so I think it might >> be worth it. > I think we do want this change. I've seen run-time failures before > due to that code when using snprintf() to write binary data to a > string without a format string caused by mbrtowc() returning an > error. As explained in my other message, that's not a libc bug in *printf(), but a potentially security-relevant feature of the interfaces. Software that uses *printf() in a non-POSIX locale to write binary data (without explicitly using %c or %s) is broken, and such bugs must be not be swept under the carpet. The fact that %c and %s can, depending on the context, easily be misused to cause similar potentially dangerous consequences is an unfortunate, but unavoidable consequence of how the standard is written, but does not excuse making the danger even worse by adding yet more opportunity for havoc. Yours, Ingo
