[Bug 385634] New: vsnprintf() returns empty buffer when size argument is large
https://bugzilla.novell.com/show_bug.cgi?id=385634 Summary: vsnprintf() returns empty buffer when size argument is large Product: openSUSE 11.0 Version: Factory Platform: i686 OS/Version: openSUSE 11.0 Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: shawn.bohrer@gmail.com QAContact: qa@suse.de Found By: Beta-Customer Created an attachment (id=211765) --> (https://bugzilla.novell.com/attachment.cgi?id=211765) Code sample that reproduces the issue On my machine I noticed I was getting an empty buffer when I passed INT32_MAX as the size to vsnprintf(). From my testing smaller sizes work as expected, so I narrowed it down to numbers less than 1079009912 seem to always work, and greater always fail. However I suspect there is a race condition since at exactly 1079009912 it is about 50/50 work/fail and I don't see anything special about that number. To reproduce try the attached vsnprintf.cpp which is currently set to INT32_MAX: g++ vsnprintf.cpp /a.out relevant info: rpm -qa | grep gcc gcc43-c++-4.3.1_20080425-2 gcc-c++-4.3-32 gcc42-4.2.1_20070724-17 gcc-4.3-32 gcc-gij-4.3-32 gcc43-4.3.1_20080425-2 gcc43-gij-4.3.1_20080425-2 gcc42-gij-4.2.1_20070724-26 gcc42-c++-4.2.1_20070724-17 libgcc43-4.3.1_20080425-2 rpm -qa | grep glibc glibc-devel-2.8-6 glibc-2.8-6 glibc-i18ndata-2.8-8 glibc-locale-2.8-8 g++ --version g++ (SUSE Linux) 4.3.1 20080425 (prerelease) [gcc-4_3-branch revision 134659] Copyright (C) 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. cat /proc/cpuinfo | grep "model name" model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz model name : Intel(R) Xeon(R) CPU E5345 @ 2.33GHz -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385634 Andreas Jaeger <aj@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.provo.novell.com |pbaudis@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385634 User dsterba@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=385634#c1 David Sterba <dsterba@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dsterba@novell.com --- Comment #1 from David Sterba <dsterba@novell.com> 2008-10-24 07:22:21 MDT --- int vsnprintf(char *str, size_t size, const char *format, va_list ap); Shouldn't the 'size' argument reflect the 'str' buffer size? What sense does it make to pass a large number when the buffer is 40 bytes on stack? Try to shrink it to 4 and you will se a segfault, regardless if the 'size' is INT32_MAX or 1079009912. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385634 User shawn.bohrer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=385634#c2 --- Comment #2 from Shawn Bohrer <shawn.bohrer@gmail.com> 2008-10-24 09:31:12 MDT --- The functions snprintf() and vsnprintf() write at most size bytes (including the trailing null byte (’\0’)) to str. 'size' can be larger or smaller than the buffer it doesn't really matter. The important thing is size allows you to set an upper bound on how many bytes you will ever print into that buffer. For example if you only ever wanted to print 4 bytes of data regardless of what 'format' and 'ap' are you would set size to 4. Your example simply points out that the buffer needs to be large enough to hold the data from 'format' and 'ap'. Regardless, my example simply demonstrated the issue. Try printing a string of size INT32_MAX into an adequately sized buffer and you should see the same problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385634 User shawn.bohrer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=385634#c3 --- Comment #3 from Shawn Bohrer <shawn.bohrer@gmail.com> 2008-11-21 12:39:25 MST --- I just tried this on a different machine and it appears to be fixed. I do not currently have openSUSE 11.0 on the machine I filed the bug with, so I don't know if it is really fixed, or if the different hardware may influence the race condition. Here are the specs from the machine which does not reproduce this bug: rpm -qa | grep gcc gcc-c++-4.3-39.1 gcc43-c++-4.3.1_20080507-6.1 gcc43-4.3.1_20080507-6.1 gcc-4.3-39.1 libgcc43-4.3.1_20080507-6.1 rpm -qa | grep glibc glibc-devel-2.8-14.1 glibc-locale-2.8-14.1 glibc-2.8-14.1 g++ --version g++ (SUSE Linux) 4.3.1 20080507 (prerelease) [gcc-4_3-branch revision 135036] Copyright (C) 2008 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. cat /proc/cpuinfo | grep "model name" model name : Intel(R) Pentium(R) D CPU 2.80GHz Strange this is a dual core machine but for some reason it only shows one cpu right now. I'll have to look into that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385634 User shawn.bohrer@gmail.com added comment https://bugzilla.novell.com/show_bug.cgi?id=385634#c4 --- Comment #4 from Shawn Bohrer <shawn.bohrer@gmail.com> 2008-11-21 12:46:24 MST --- In the previous comment I had one cpu disabled in the BIOS. Even with both cpus turned on the issue does not reproduce on this machine. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=385634 User pbaudis@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=385634#c5 Petr Baudis <pbaudis@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WORKSFORME --- Comment #5 from Petr Baudis <pbaudis@novell.com> 2008-12-04 11:07:03 MST --- I cannot reproduce this either. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com