[redland-dev] Bug in raptor_vsnprintf()

Lauri Aalto laalto at gmail.com
Wed May 23 05:46:28 EDT 2012 

Hi John,

thanks for the report. The best place for bug reports is
<http://bugs.librdf.org>.

I fixed this particular issue in commit
<https://github.com/dajobe/raptor/commit/391e09a5acddaf3ed63005bec880804896ca860e>.

Normally variable initialization bugs like this are detected by clang
static analyzer ("make analyze" in src) but it only analyzes the
active configuration so this one went undetected.

Lauri

On Tue, May 22, 2012 at 2:47 PM, John Emmas <johne53 at tiscali.co.uk> wrote:
> I've found a bug in raptor_vsnprintf2() (raptor2).  Where should I report
> it?  For anyone who's curious, here's the problem:-
>
>
> int
> raptor_vsnprintf2(char *buffer, size_t size,
>                   const char *format, va_list arguments)
> {
>   size_t len;
>
>   RAPTOR_ASSERT_OBJECT_POINTER_RETURN_VALUE(format, char*, 0);
>
> #ifdef CHECK_VSNPRINTF_RUNTIME
>
>   if(vsnprintf_is_c99())
>     VSNPRINTF_C99_BLOCK(len, buffer, size, format, arguments) ;
>   else
>     VSNPRINTF_NOT_C99_BLOCK(len, buffer, size, format, arguments) ;
>
> #else
>
> #ifdef HAVE_C99_VSNPRINTF
>   VSNPRINTF_C99_BLOCK(len, buffer, size, format, arguments) ;
> #else
>   VSNPRINTF_NOT_C99_BLOCK(len, buffer, size, format, arguments) ;
> #endif
>
> #endif
>
>
>
>   return RAPTOR_BAD_CAST(int, len);
> }
>
> Note that 'len' is uninitialised when it gets passed to either of the macros
> (VSNPRINTF_NOT_C99_BLOCK, in my case).  In abbreviated form, the macro
> translates to this code:-
>
> #define VSNPRINTF_NOT_C99_BLOCK(len, buffer, size, format, arguments)   \
>   do {                                                                  \
>     if(!buffer || !size) {                                              \
>       /* This vsnprintf doesn't return number of bytes required */      \
>       size = 2 + strlen(format);                                        \
>       len = -1;                                                         \
>       /* Do some other stuff (includes setting */                       \
>       /* the correct value for 'len')          */                       \
>     }                                                                   \
>                                                                         \
>     if(buffer)                                                          \
>       vsnprintf(buffer, len, format, arguments);                        \
>   } while(0)
>
> The variable 'len' gets passed to vsnprintf() - but if 'buffer' and 'size'
> both started off with nonzero values, 'len' will contain a garbage value.
>
> Hope that makes sense.
>
> John
>
> _______________________________________________
> redland-dev mailing list
> redland-dev at lists.librdf.org
> http://lists.librdf.org/mailman/listinfo/redland-dev

More information about the redland-dev mailing list