Skip to content

BufferedVaList::index may read out of bounds

Description

Summary

BufferedVaList implements index which retrieves the value of a va_arg at a specified index and assumes all values between the current location and the given index are of the type usize.

Example

Given the following havoc will ensue on x86_64 or aarch64 (when not on windows... because microsoft 😡) due to the stack pointer for floating point values and integer values existing in separate variables.

  printf("int: %*6$d double: %lf %lf %lf %lf\n", 5, 0.1, 0.2, 0.3, 0.4, 10);

In order to properly fix this we'll need to iterate over the format string once to find the types of each value contained in the list and then actually iterate over the list.

printf is hard

Limitations

There are some cases like the following that there is no way we can figure out:

  printf("int: %*6$d no info on middle types\n", 5, 0.1, 0.2, 0.3, 0.4, 10);

We have no type information on the middle chunk, so the best we can do is guess. It looks like glibc assumes that the middle chunk is a int, so that seems reasonable.

Type disagreements

There may be cases where the programmer gives us mixed types. E.g.

  printf("%1$d %1$lf", 5, 0.1);
  // or
  printf("%1$d %lf\n", 5, 0.2);

glibc seems to go with the last type declared.