From: Paul Eggert <eggert@cs.ucla.edu>
To: "Richard W.M. Jones" <rjones@redhat.com>, Eric Blake <eblake@redhat.com>
Cc: Florian Weimer <fweimer@redhat.com>,
glibc list <libc-alpha@sourceware.org>,
"libguestfs@redhat.com" <libguestfs@redhat.com>
Subject: Re: RFC: *scanf vs. overflow
Date: Sat, 23 May 2020 08:25:39 -0700 [thread overview]
Message-ID: <31c3a84e-46dc-7633-8b93-14fea45bfa40@cs.ucla.edu> (raw)
In-Reply-To: <20200523070654.GO3888@redhat.com>
On 5/23/20 12:06 AM, Richard W.M. Jones via Libc-alpha wrote:
> https://github.com/libguestfs/nbdkit/blob/b23f4f53cf71326f1dba481f64f7f182c20fa3dc/plugins/data/format.c#L171-L172
> We can only do this safely where we can prove that overflow does not
> matter.
Yes, this is exactly the sort of usage that I had in mind. In the following
example, which is the first use of *scanf I saw, if scanf never allowed integer
overflow (that is, it scanned only as much of a number that would fit), this
code would output an error message instead of blithely going on with an
overflowed number, and this would be safer than the code's current behavior.
> if (sscanf (&value[i], "*%" SCNi64 "%n", &k, &n) == 1) {
> if (k < 0) {
> nbdkit_error ("data parameter *N must be >= 0");
> return -1;
> }
> ...
> } else {
> nbdkit_error ("')' in data string not followed by '*'");
> return -1;
> }
next prev parent reply other threads:[~2020-05-23 15:25 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-22 20:59 RFC: *scanf vs. overflow Eric Blake via Libc-alpha
2020-05-23 1:16 ` Rich Felker
2020-05-23 3:06 ` Paul Eggert
2020-05-23 16:11 ` Rich Felker
2020-05-23 16:28 ` Paul Eggert
2020-05-23 16:45 ` Rich Felker
2020-05-23 17:18 ` Paul Eggert
2020-05-26 9:30 ` [Libguestfs] " Richard W.M. Jones via Libc-alpha
2020-05-23 7:06 ` Richard W.M. Jones via Libc-alpha
2020-05-23 15:25 ` Paul Eggert [this message]
2020-05-23 16:21 ` Rich Felker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.gnu.org/software/libc/involved.html
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=31c3a84e-46dc-7633-8b93-14fea45bfa40@cs.ucla.edu \
--to=eggert@cs.ucla.edu \
--cc=eblake@redhat.com \
--cc=fweimer@redhat.com \
--cc=libc-alpha@sourceware.org \
--cc=libguestfs@redhat.com \
--cc=rjones@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).