Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crash in grisu2_prettify #1127

Closed
pauldreik opened this issue Apr 21, 2019 · 1 comment
Closed

crash in grisu2_prettify #1127

pauldreik opened this issue Apr 21, 2019 · 1 comment

Comments

@pauldreik
Copy link
Contributor

Hi,
I found another crash through fuzzing sprintf. It gives a segmentation fault (using address sanitizer also works).

#include <fmt/printf.h>

int
main()
{
  int a = -13;
  float b = -1e19;
  std::string message = fmt::sprintf("%.*%", a, b);
}

I think the reason is that

it = copy_str<Char>(digits + full_exp, digits + size, it);

on format.h line 1203
gets an invalid range. I added assert(full_exp<=size); which is triggered by this.

By the way, I pushed my fuzzers to here in case you or someone else wants to fuzz.

Thanks,
Paul
vitaut added a commit that referenced this issue Apr 21, 2019
@vitaut
Convert negative precision to zero in printf (#1127)
bd516e3 
and remove redundant check in grisu2_prettify.
@vitaut
Copy link
Contributor

vitaut commented Apr 21, 2019

Thanks! This is a bug in fmt::sprintf - negative precision should have been converted to zero (the check in prettifier is actually redundant). I didn't even know printf allows negative precision =). Fixed in bd516e3.

@vitaut vitaut closed this as completed Apr 21, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vitaut @pauldreik