bin/42466: vsnprintf_ss() causes infinite loop

[Yasuoka Masahiko <yasuoka%iij.ad.jp@localhost>]

>Number:         42466
>Category:       bin
>Synopsis:       vsnprintf_ss() causes infinite loop
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Dec 17 13:35:00 +0000 2009
>Originator:     yasuoka%iij.ad.jp@localhost
>Release:        NetBSD 5.0.1
>Organization:
Internet Initiative Japan Inc.
>Environment:
System: NetBSD yasuoka-nb.iij.ad.jp 5.0.1 NetBSD 5.0.1 (GENERIC) #0: Thu Jul 30 
01:39:11 UTC 2009 
builds%b8.netbsd.org@localhost:/home/builds/ab/netbsd-5-0-1-RELEASE/i386/200907292356Z-obj/home/builds/ab/netbsd-5-0-1-RELEASE/src/sys/arch/i386/compile/GENERIC
 i386
Architecture: i386
Machine: i386
>Description:

Programs using vsnprintf_ss() cause a infinite loop.

lib/libc/stdio/vsnprintf.c 1.21 

    113 #define PUTCHAR(C) do {                                 \
    114         if (sbuf < tailp)                               \
    115                 *sbuf++ = (C);                          \
    116 } while (/*CONSTCOND*/0)

    (snip)

    164         for (;;) {
    165                 while (*fmt != '%' && *fmt) {
    166                         ret++;
    167                         PUTCHAR(*fmt++);
    168                 }

To break 'while' at 165, 'fmt' must be incremeted in every loop.  But
PUTCHAR(C) is a macro fuction, it doesn't increment the macro value
'C' in case 'sbuf >= tailp'.  This causes a infinite loop.

>How-To-Repeat:

Below test program (archived by shar(1)) can repeat the problem on 
NetBSD 5.0.1/i386.

# This is a shell archive.  Save it in a file, remove anything before
# this line, and then unpack it by entering "sh file".  Note, it may
# create directories; files and directories will be owned by you and
# have default permissions.
#
# This archive contains:
#
#       vsnprintf/Makefile
#       vsnprintf/vsnprintf_test.c
#
echo x - vsnprintf/Makefile
sed 's/^X//' >vsnprintf/Makefile << 'END-of-vsnprintf/Makefile'
XNOMAN=         #
XPROG=          vsnprintf_test
X
X.include <bsd.prog.mk>
END-of-vsnprintf/Makefile
echo x - vsnprintf/vsnprintf_test.c
sed 's/^X//' >vsnprintf/vsnprintf_test.c << 'END-of-vsnprintf/vsnprintf_test.c'
X#include <sys/types.h>
X#include <stdlib.h>
X#include <string.h>
X
Xint snprintf_ss(char *, size_t size, const char *, ...);
X
Xint
Xmain(int argc, char *argv[])
X{
X       char buf0[32], buf1[32];
X
X       memset(buf1, 'A', sizeof(buf1));
X       buf1[31] = '\0';
X
X       snprintf_ss(buf0, sizeof(buf0), "%sZZZZ", buf1);
X
X       exit(EXIT_SUCCESS);
X}
X
X
END-of-vsnprintf/vsnprintf_test.c
exit

>Fix:

Index: vsnprintf_ss.c
===================================================================
RCS file: /cvsroot/NetBSD/src/lib/libc/stdio/vsnprintf_ss.c,v
retrieving revision 1.8
diff -b -u -p -r1.8 vsnprintf_ss.c
--- vsnprintf_ss.c      25 Oct 2009 20:44:13 -0000      1.8
+++ vsnprintf_ss.c      17 Dec 2009 13:07:08 -0000
@@ -164,7 +164,8 @@ vsnprintf_ss(char *sbuf, size_t slen, co
        for (;;) {
                while (*fmt != '%' && *fmt) {
                        ret++;
-                       PUTCHAR(*fmt++);
+                       PUTCHAR(*fmt);
+                       fmt++;
                }
                if (*fmt == 0)
                        goto done;