Forum: Ruby-core [CommonRuby - Feature #8864][Open] sprintf segfaults with too high precision

5a3cd7184f193708bab3eedb4735da3b?d=identicon&s=25 Aaronneyer (Aaron Neyer) (Guest)
on 2013-09-04 21:53
(Received via mailing list)
Issue #8864 has been reported by Aaronneyer (Aaron Neyer).

----------------------------------------
Feature #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864

Author: Aaronneyer (Aaron Neyer)
Status: Open
Priority: Normal
Assignee:
Category:
Target version:


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
A09d146c45286d4101c3144068b34bc9?d=identicon&s=25 utkarshkukreti (Utkarsh Kukreti) (Guest)
on 2013-09-10 14:40
(Received via mailing list)
Issue #8864 has been updated by utkarshkukreti (Utkarsh Kukreti).


I'm trying to write a patch for this (my first contribution actually),
and I'll really appreciate some help.

I've found the cause -- the buffer sent to `cvt()` function in
vsnprintf.c is allocated on the stack with a fixed size of `#define BUF
(MAXEXP+MAXFRACT+1)` [here](
https://github.com/ruby/ruby/blob/5b46f6c602c24c9c...)
which on my machine is `1024 + 64 + 1 == 1089`, and the data is written
to it without any bounds check, which causes the segfault.

I can think of two possible solutions:

1. Limit the precision a user can specify on a call to sprintf to
`MAXFRACT`.
2. `malloc` the actual required memory when it's greater than the
defined constant `BUF`, and `free` it before returning from the
function.

I think (2) is the best solution here.

What do you all think? Also, what functions should I use to
allocate/free memory inside `vsnprintf`?
----------------------------------------
Bug #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864#change-41720

Author: Aaronneyer (Aaron Neyer)
Status: Open
Priority: Normal
Assignee:
Category:
Target version:
ruby -v:
Backport:


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
A09d146c45286d4101c3144068b34bc9?d=identicon&s=25 utkarshkukreti (Utkarsh Kukreti) (Guest)
on 2013-09-11 15:44
(Received via mailing list)
Issue #8864 has been updated by utkarshkukreti (Utkarsh Kukreti).


Ok, (1) is not really an option, all other languages I looked at support
arbitrary value of precision.
----------------------------------------
Bug #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864#change-41740

Author: Aaronneyer (Aaron Neyer)
Status: Open
Priority: Normal
Assignee:
Category:
Target version:
ruby -v:
Backport:


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
666b4e17b4bb0e2d999037a25f65a7cb?d=identicon&s=25 Heesob Park (phasis)
on 2013-09-12 12:44
(Received via mailing list)
Issue #8864 has been updated by phasis68 (Heesob Park).

File vsnprintf.patch added

I made a patch for this issue.
----------------------------------------
Bug #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864#change-41766

Author: Aaronneyer (Aaron Neyer)
Status: Open
Priority: Normal
Assignee:
Category:
Target version:
ruby -v:
Backport:


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
5cf8f058a4c094bb708174fb43e7a387?d=identicon&s=25 nagachika (Tomoyuki Chikanaga) (Guest)
on 2013-09-12 14:58
(Received via mailing list)
Issue #8864 has been updated by nagachika (Tomoyuki Chikanaga).

Backport set to 1.9.3: REQUIRED, 2.0.0: REQUIRED
ruby -v set to -


----------------------------------------
Bug #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864#change-41770

Author: Aaronneyer (Aaron Neyer)
Status: Closed
Priority: Normal
Assignee:
Category:
Target version:
ruby -v: -
Backport: 1.9.3: REQUIRED, 2.0.0: REQUIRED


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
5cf8f058a4c094bb708174fb43e7a387?d=identicon&s=25 nagachika (Tomoyuki Chikanaga) (Guest)
on 2013-09-15 15:52
(Received via mailing list)
Issue #8864 has been updated by nagachika (Tomoyuki Chikanaga).

Backport changed from 1.9.3: REQUIRED, 2.0.0: REQUIRED to 1.9.3:
REQUIRED, 2.0.0: DONE

Backported 42908 (for resolve conflict) and 42918 to ruby_2_0_0 at
r42944.

----------------------------------------
Bug #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864#change-41834

Author: Aaronneyer (Aaron Neyer)
Status: Closed
Priority: Normal
Assignee:
Category:
Target version:
ruby -v: -
Backport: 1.9.3: REQUIRED, 2.0.0: DONE


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
8cbb39dadafaf2287a83a13ee4981ec9?d=identicon&s=25 usa (Usaku NAKAMURA) (Guest)
on 2013-10-31 15:37
(Received via mailing list)
Issue #8864 has been updated by usa (Usaku NAKAMURA).

Backport changed from 1.9.3: REQUIRED, 2.0.0: DONE to 1.9.3: DONE,
2.0.0: DONE

Backported to ruby_1_9_3 at r43488.
----------------------------------------
Bug #8864: sprintf segfaults with too high precision
https://bugs.ruby-lang.org/issues/8864#change-42692

Author: Aaronneyer (Aaron Neyer)
Status: Closed
Priority: Normal
Assignee:
Category:
Target version:
ruby -v: -
Backport: 1.9.3: DONE, 2.0.0: DONE


In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying
a very large precision in sprintf can cause a segmentation fault.

The following code will cause the segmentation fault.

`"%.99999f" % 10`

The number to cause a segfault is dependent on the system. On my laptop,
any number above 1100 would cause it, and on an EC2 micro instance,
around 2500 was the limit.
This topic is locked and can not be replied to.