printf: fix an out-of-bounds memory access

* src/printf.c (STRTOX): Don't access memory after a
string containing a single quote character.
* tests/misc/printf: Add tests for various combinations
of single quote characters combined with a numeric format.
* THANKS.in: Add bug reporter.
* NEWS: Mention the fix.

Reported-by: Paul Marinescu <paul.marinescu@imperial.ac.uk>

diff --git a/NEWS b/NEWS
index 7a7f761..88593ab 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,11 @@ GNU coreutils NEWS                                    -*- outline -*-
 
 * Noteworthy changes in release ?.? (????-??-??) [?]
 
+** Bug fixes
+
+  printf '%d' '"' no longer accesses out-of-bounds memory in the diagnostic.
+  [bug introduced in sh-utils-1.16]
+
 ** New features
 
   split accepts a new --filter=CMD option.  With it, split filters output

diff --git a/THANKS.in b/THANKS.in
index 3156834..9120ba3 100644 (file)
--- a/THANKS.in
+++ b/THANKS.in
@@ -449,6 +449,7 @@ Patrick Mauritz                     oxygene@studentenbude.ath.cx
 Paul D. Smith                       psmith@gnu.org
 Paul Ghaleb                         paul.ghaleb@st.com
 Paul Jarc                           prj@po.cwru.edu
+Paul Marinescu                      paul.marinescu@imperial.ac.uk
 Paul Nevai                          nevai@ops.mps.ohio-state.edu
 Paul Sauer                          paul@alexa.com
 Paul Slootman                       paul@debian.org

diff --git a/src/printf.c b/src/printf.c
index e05947c..24070b8 100644 (file)
--- a/src/printf.c
+++ b/src/printf.c
@@ -160,7 +160,7 @@ FUNC_NAME (char const *s)                                            \
   char *end;                                                            \
   TYPE val;                                                             \
                                                                          \
-  if (*s == '\"' || *s == '\'')                                                 \
+  if ((*s == '\"' || *s == '\'') && *(s + 1))                           \
     {                                                                   \
       unsigned char ch = *++s;                                          \
       val = ch;                                                                 \

diff --git a/tests/misc/printf b/tests/misc/printf
index 6404761..fd1275d 100755 (executable)
--- a/tests/misc/printf
+++ b/tests/misc/printf
@@ -96,4 +96,27 @@ EOF
 
 compare out exp || fail=1
 
+# Verify handling of single quote chars (\' or \")
+
+"$prog" '%d\n' '"a'  >out 2>err   # valid
+"$prog" '%d\n' '"a"' >>out 2>>err # invalid
+"$prog" '%d\n' '"'   >>out 2>>err # invalid
+"$prog" '%d\n' 'a'   >>out 2>>err # invalid
+
+cat <<EOF > exp
+97
+97
+0
+0
+EOF
+
+cat <<EOF > exp_err
+$prog: warning: ": character(s) following character constant have been ignored
+$prog: ": expected a numeric value
+$prog: a: expected a numeric value
+EOF
+
+compare out exp || fail=1
+compare err exp_err || fail=1
+
 Exit $fail