Commit Graph

611 Commits

Author SHA1 Message Date
Jean-Sébastien Pédron
671c033623 Remove incorrect __restrict qualifier on several pointers
The typical case was:
static __inline int
convert_ccl(FILE *fp, char * __restrict p, [...])
{
        [...]

        if (p == SUPPRESS_PTR) {
		[...]
	} else {
		[...]
	}

	[...]
}

This qualifier says that the pointer is the only one at that time
pointing to the resource.

Here, clang considers that "p" will never match "SUPPRESS_PTR" and
optimize the if{} block out. This leads to segfaults in programs calling
vfscanf(3) and vfwscanf(3) with just the format string (no arguments
following it).

The following softwares were reported to abort with segmentation fault
and this patch fixes it:
    o  cmake
    o  smartd
    o  devel/ORBit2

dim@ opened an LLVM PR to discuss this clang optimization:
    http://llvm.org/bugs/show_bug.cgi?id=12656

Tested by:	bsam@
2012-04-30 11:28:17 +00:00
David Schultz
cbd3cbbae0 Fix a bug in *wscanf's handling of non-wide %s, %c, and %[
conversions.  Both the specification and the documentation say the
width is interpreted as the max number of wide characters to read, but
the implementation was interpreting it as the number of bytes to convert.
(See also r105317.)

This change has security implications for any applications that depend
on the buggy behavior, but the impact in practice is probably nil.
Any such application would already be buggy on other platforms that
get the semantics right.  Also, these conversions are rarely used;
%ls, %lc, and %l[ are more appropriate.
2012-04-30 01:08:18 +00:00
David Schultz
d7af8cf14b Previously, vfscanf()'s wide character processing functions were
reading wide characters manually.  With this change, they now use
fgetwc().  To make this work, we use an internal version of fgetwc()
with a few extensions: it takes an mbstate * because non-wide streams
don't have a built-in mbstate, and it indicates the number of bytes
read.

vfscanf() now resembles vfwscanf() more closely.  Minor functional
improvements include working xlocale support in vfscanf(), setting the
stream error indicator on encoding errors, and proper handling of
shift-based encodings.  (Actually, making shift-based encodings work
with non-wide streams is hopeless, but the implementation now matches
the broken specification.)
2012-04-29 16:28:39 +00:00
Jeremie Le Hen
5a239e7000 Fix small documentation mistakes.
Submitted by:	brueffer
Approved by:	kib (mentor)
2012-04-28 21:50:30 +00:00
Jeremie Le Hen
6486b015fc Import stdbuf(1) and the shared library it relies on.
This tool changes the default buffering behaviour of standard
stdio streams.

It only works on dynamic binaries.  To make it work for static
ones it would require cluttering stdio because there no single
entry point.

PR:		166660
Reviewed by:	current@, jhb
Approved by:	kib (mentor)
MFC after:	1 week
2012-04-28 20:52:20 +00:00
Konstantin Belousov
46ffdf3bbd Take the spinlock around clearing of the fp->_flags in fclose(3), which
indicates the avaliability of FILE, to prevent possible reordering of
the writes as seen by other CPUs.

Reported by:	Fengwei yin <yfw.bsd gmail com>
Reviewed by:	jhb
MFC after:	1 week
2012-04-24 17:51:36 +00:00
David Schultz
06b4e48852 Bugfix: Include whitespace characters in the count of the number of
characters read.
2012-04-22 21:28:33 +00:00
David Schultz
f010dc7dc4 Bugfix: Correctly count the number of characters read for %l[ conversions. 2012-04-22 21:28:14 +00:00
David Schultz
01d2a7858e Bugfix: %n doesn't count as a conversion, so
sscanf("abc", "ab%ncd", &i) returns EOF, not 0.
2012-04-22 21:22:14 +00:00
David Schultz
51300896cb Refactor scanf to improve modularity. Conversions are now performed
by separate conversion functions.  This will hopefully make bugs more
noticeable (I noticed several already) and provide opportunities to
reduce code duplication.
2012-04-22 21:18:41 +00:00
David Schultz
86dc3a9ae2 As noted by Peter Jeremy, r234528 only partially fixed the infinite
loop bug introduced in r187302.  This completes the fix.

PR:		167039
MFC after:	3 days
2012-04-21 07:31:27 +00:00
David Schultz
666d00d34a If the size passed to {,v}s{w,n}printf is larger than INT_MAX+1
(i.e., the return value would overflow), set errno to EOVERFLOW
and return an error.  This improves the chances that buggy
applications -- for instance, ones that pass in a negative integer
as the size due to a bogus calculation -- will fail in safe ways.
Returning an error in these situations is specified by POSIX, but
POSIX appears to have an off-by-one error that isn't duplicated in
this change.

Previously, some of these functions would silently cap the size at
INT_MAX+1, and others would exit with an error after writing more
than INT_MAX characters.

PR:		39256
MFC after:	2 weeks
2012-04-21 06:10:18 +00:00
David Schultz
31fe39edac - Fix the claim that the output is always null-terminated. This isn't
true if the size is zero.
- Fix a claim that sprintf() is the same as snprintf() with an
  infinite size.  It's equivalent to snprintf() with a size of
  INT_MAX + 1.
- Document the return values in the return values section.
- Document the possible errno value of EOVERFLOW.

MFC after:	2 weeks
2012-04-21 06:09:09 +00:00
David Schultz
04acf36509 Ensure that the {,v}swprintf functions always null-terminate the
output string, even if an encoding error or malloc failure occurs.
2012-04-21 06:08:29 +00:00
David Schultz
177628ce75 Fix a bug introduced in r187302 that was causing fputws() to enter an
infinite loop pretty much unconditionally.  It's remarkable that the
patch that introduced the bug was never tested, but even more
remarkable that nobody noticed for over two years.

PR:		167039
MFC after:	3 days
2012-04-21 06:08:02 +00:00
Eitan Adler
50d675f7a9 Remove trailing whitespace per mdoc lint warning
Disussed with:	gavin
No objection from:	doc
Approved by:	joel
MFC after:	3 days
2012-03-29 05:02:12 +00:00
Eitan Adler
a8448a8ce7 Remove outdated comment of seven years
PR:		docs/116116
Approved by:	cperciva
MFC after:	1 week
2012-03-04 16:44:04 +00:00
Eitan Adler
008474bbf1 Remove reference to gcc's non-standard -fwritable-strings, which
doesn't exist in recent releases (and is bad advice anyway)

PR:		docs/163119
Submitted by:	Yuri Pankov <yuri.pankov@gmail.com>
Approved by:	cperciva
MFC after:	1 week
2012-03-04 16:41:07 +00:00
David Chisnall
3c87aa1d3d Implement xlocale APIs from Darwin, mainly for use by libc++. This adds a
load of _l suffixed versions of various standard library functions that use
the global locale, making them take an explicit locale parameter.  Also
adds support for per-thread locales.  This work was funded by the FreeBSD
Foundation.

Please test any code you have that uses the C standard locale functions!

Reviewed by:    das (gdtoa changes)
Approved by:    dim (mentor)
2011-11-20 14:45:42 +00:00
David Schultz
bd26fb812d Add support for the 'x' mode option in fopen() as specified in the C1X
draft standard.  The option is equivalent to O_EXCL.

MFC after:	1 month
2011-10-21 06:35:58 +00:00
Pawel Jakub Dawidek
a9cf49ab39 Because we call __printf_out() with a on-stack buffer, also call
__printf_flush() so we are sure it won't be referenced after we return.

MFC after:	2 weeks
2011-03-06 19:47:46 +00:00
Pawel Jakub Dawidek
f03ca7241b Fix various issues in how %#T is handled:
- If precision is 0, don't print period followed by no digits.
- If precision is 0 stop printing units as soon as possible
  (eg. if we have three years and five days and precision is 0
   print only 3y5d).
- If precision is not 0, print all units (eg. 3y0d0h0m0s.00).

MFC after:	2 weeks
2011-03-06 17:43:32 +00:00
John Baldwin
cc3d85727d When reopening a stream backed by an open file descriptor, do not close
the existing file descriptor.  Instead, let dup2() atomically close the
old file descriptor when assigning the newly opened file to the same
descriptor.  This closes a race in a multithreaded application where a
concurrent open() could allocate the existing file descriptor in between
the calls to close() and dup2().

PR:		threads/79887
Submitted by:	Dmitrij Tejblum  tejblum of yandex-team.ru
Reviewed by:	davidxu
MFC after:	1 week
2010-12-09 20:28:30 +00:00
Gavin Atkinson
da1e775d12 Remove two unused variables, left over from the refactoring in r180104.
PR:		bin/152551
Submitted by:	Henning Petersen <henning.petersen t-online.de>
MFC after:	2 weeks
2010-12-02 13:40:21 +00:00
David Schultz
06127c9c2a Update the documentation to reflect changes to the implementation in
r197752, which is related to handling of null buffer pointers.  Also
make a few minor wording changes.

Reported by:	jh@
2010-11-30 21:26:21 +00:00
Rebecca Cran
5512804bb8 Revert changes of 'assure' to 'ensure' made in r211936.
Approved by: rrs (mentor)
2010-09-11 10:49:56 +00:00
Rebecca Cran
e7f8dd75b3 Fix incorrect usage of 'assure' and 'insure'.
Approved by: rrs (mentor)
2010-08-28 16:32:01 +00:00
Ulrich Spörlein
0afc94c17a mdoc: move CAVEATS, BUGS and SECURITY CONSIDERATIONS sections to the
bottom of the manpages and order them consistently.

GNU groff doesn't care about the ordering, and doesn't even mention
CAVEATS and SECURITY CONSIDERATIONS as common sections and where to put
them.

Found by:	mdocml lint run
Reviewed by:	ru
2010-05-13 12:07:55 +00:00
Ulrich Spörlein
2a10d6d199 mdoc: fix parenthesis
Reviewed by:	brueffer
2010-05-11 23:08:31 +00:00
Ulrich Spörlein
488704b28a mdoc: use macro for +- that is understood by mdocml
Reviewed by:	brueffer
2010-05-11 23:08:15 +00:00
David E. O'Brien
6a18a77221 I feel this wording of the history is more clear.
ANSIfy vasprintf() while I'm here.
2010-04-05 22:09:29 +00:00
John Baldwin
1b0181df2f - Use an initializer macro to initialize fields in 'fake' FILE objects used
by *sprintf(), etc.
- Explicitly initialize _fl_mutex to PTHREAD_MUTEX_INITIALIZER for all FILE
  objects.  This is currently a nop on FreeBSD, but is import for other
  platforms (or in the future) where PTHREAD_MUTEX_INITIALIZER is not simply
  zero.

PR:		threads/141198
Reported by:	Jeremy Huddleston @ Apple
MFC after:	2 weeks
2010-03-11 17:03:32 +00:00
Jaakko Heinonen
6ca7812a19 In _gettemp(), check that the length of the path doesn't exceed
MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
carrybuf causing a buffer overflow.

PR:		bin/140228
Suggested by:	jilles
2010-02-28 13:31:29 +00:00
Ruslan Ermilov
e363756c8f %U was macroized in mdoc(7), escape. 2010-02-16 12:29:02 +00:00
Colin Percival
c6a96a8441 Give a less silly response to a silly request.
Prior to this commit, fread/fwrite calls with size * nmemb > SIZE_MAX
were handled by reading or writing (size_t)(size * nmemb) bytes; for
example, on 32-bit platforms, fread(ptr, 641, 6700417, f) would read 1
byte and indicate that the requested 6700417 blocks had been read.

This commit adds a check for such integer overflows, and treats them as
if an overly large request was passed to read/write; i.e., it sets errno
to EINVAL, sets the error indicator on the file, and returns a short
object count (0, to be specific).

The overflow check involves an integer division, so as a performance
optimization we check first to see if both size and nmemb are less than
2^16; if they are, no overflow is possible and we avoid the division.
We assume here that size_t is at least 32 bits; this appears to be true
on all platforms FreeBSD supports.

Although this commit fixes an integer overflow, it is not likely to have
any security implications, since any program which would be affected by
this bug fix is quite clearly already very confused.

Reviewed by:	kib
MFC after:	1 month
2010-01-10 14:30:30 +00:00
Christian Brueffer
37dc3d28cb Remove unnecessary quoting and markup, add missing punctuation.
PR:		140494
Submitted by:	Jeremy Huddleston <jeremyhu@apple.com>, bde
MFC after:	1 week
2010-01-08 22:02:42 +00:00
Xin LI
280101b76e Use vsprintf instead of rolling our own.
PR:		bin/140496
Submitted by:	Jeremy Huddleston <jeremyhu apple.com>
MFC after:	1 month
2009-12-21 19:59:38 +00:00
Xin LI
d22fecc5e6 Use vsscanf instead of rolling our own.
PR:		bin/140530
Submitted by:	Jeremy Huddleston <jeremyhu apple.com>
MFC after:	1 month
2009-12-21 19:56:03 +00:00
Xin LI
c19ee5a0fb K&R -> ANSI prototype.
MFC after:	1 month
2009-12-21 19:55:05 +00:00
Matteo Riondato
5d26f10fbb 2009-12-16 04:19:23 +00:00
Ed Schouten
2c201a9afe Fix many "function declaration isn't a prototype" warnings in libc.
I've only fixed code that seems to be written by `us'. There are still
many warnings like this present in resolv/, rpc/, stdtime/ and yp/.
2009-12-05 19:31:38 +00:00
Christian Brueffer
da6186437a Fix the dprintf() prototype.
PR:		141087
Submitted by:	Jeremy Huddleston <jeremyhu@apple.com>
MFC after:	3 days
2009-12-02 07:51:25 +00:00
Garrett Wollman
0c0349bfa4 Eliminate more dead stores.
Found by:	Clang static analyzer
MFC after:	7 days
2009-11-25 04:45:45 +00:00
Garrett Wollman
750a395ba6 Make all three if conditions look similar by always initializing nsec
and moving the default initialization of prec into the else clause.
The clang static analyzer erroneously thought that nsec can be used
uninitialized here; it was not actually possible, but better to make
the code clearer.  (Clang can't know that sprintf() won't modify *pi
behind the scenes.)
2009-11-25 04:35:54 +00:00
Garrett Wollman
ab5b2fafec In __mbsconv(), if prec was zero, nconv could have been used
uninitialized.  Initialize it to a safe value so that there's no
chance of returning an error if stack garbage happens to be equal to
(size_t)-1 or (size_t)-2.

Found by:	Clang static analyzer
MFC after:	7 days
2009-11-25 04:27:55 +00:00
Garrett Wollman
e40c32385d Eliminate dead store.
Found by:	Clang static analyzer
MFC after:	7 days
2009-11-25 04:21:42 +00:00
David Schultz
7e817e2a03 Better glibc compatibility for getline/getdelim:
- Tolerate applications that pass a NULL pointer for the buffer and
  claim that the capacity of the buffer is nonzero.

- If an application passes in a non-NULL buffer pointer and claims the
  buffer has zero capacity, we should free (well, realloc) it
  anyway. It could have been obtained from malloc(0), so failing to
  free it would be a small memory leak.

MFC After:	2 weeks
Reported by:	naddy
PR:		ports/138320
2009-10-04 19:43:36 +00:00
Ed Schouten
4522791bb4 Make the description of `b' a little better.
If you have a one-byte sequence, `w', `b' is the second character. Not
the third.

Submitted by:	Christoph Mallon
2009-09-09 19:38:19 +00:00
Ed Schouten
77822acff7 Fix fwrite() to return 0 when size or nmemb are zero.
Right now nmemb is returned when size is 0. In newer versions of the
standards, it is explicitly required that fwrite() should return 0.

Submitted by:	Christoph Mallon
Approved by:	re (kib)
2009-07-12 13:09:43 +00:00
David Schultz
6685ac34d9 Return -1 instead of 0 upon reaching EOF. This is somewhat ill-advised
because it means getdelim() returns -1 for both error and EOF, and
never returns 0. However, this is what the original GNU	implementation
does, and POSIX inherited the bug.

Reported by:	marcus@
2009-04-06 13:50:04 +00:00