| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
| |
sscanf("abc", "ab%ncd", &i) returns EOF, not 0.
|
| |
|
|
|
|
| |
by separate conversion functions. This will hopefully make bugs more
noticeable (I noticed several already) and provide opportunities to
reduce code duplication.
|
| |
|
|
|
|
|
| |
loop bug introduced in r187302. This completes the fix.
PR: 167039
MFC after: 3 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(i.e., the return value would overflow), set errno to EOVERFLOW
and return an error. This improves the chances that buggy
applications -- for instance, ones that pass in a negative integer
as the size due to a bogus calculation -- will fail in safe ways.
Returning an error in these situations is specified by POSIX, but
POSIX appears to have an off-by-one error that isn't duplicated in
this change.
Previously, some of these functions would silently cap the size at
INT_MAX+1, and others would exit with an error after writing more
than INT_MAX characters.
PR: 39256
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
| |
true if the size is zero.
- Fix a claim that sprintf() is the same as snprintf() with an
infinite size. It's equivalent to snprintf() with a size of
INT_MAX + 1.
- Document the return values in the return values section.
- Document the possible errno value of EOVERFLOW.
MFC after: 2 weeks
|
| |
|
|
| |
output string, even if an encoding error or malloc failure occurs.
|
| |
|
|
|
|
|
|
|
| |
infinite loop pretty much unconditionally. It's remarkable that the
patch that introduced the bug was never tested, but even more
remarkable that nobody noticed for over two years.
PR: 167039
MFC after: 3 days
|
| |
|
|
|
|
|
| |
Disussed with: gavin
No objection from: doc
Approved by: joel
MFC after: 3 days
|
| |
|
|
|
|
| |
PR: docs/116116
Approved by: cperciva
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
| |
doesn't exist in recent releases (and is bad advice anyway)
PR: docs/163119
Submitted by: Yuri Pankov <yuri.pankov@gmail.com>
Approved by: cperciva
MFC after: 1 week
|
| |
|
|
|
|
|
|
|
|
|
|
| |
load of _l suffixed versions of various standard library functions that use
the global locale, making them take an explicit locale parameter. Also
adds support for per-thread locales. This work was funded by the FreeBSD
Foundation.
Please test any code you have that uses the C standard locale functions!
Reviewed by: das (gdtoa changes)
Approved by: dim (mentor)
|
| |
|
|
|
|
| |
draft standard. The option is equivalent to O_EXCL.
MFC after: 1 month
|
| |
|
|
|
|
| |
__printf_flush() so we are sure it won't be referenced after we return.
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
| |
- If precision is 0, don't print period followed by no digits.
- If precision is 0 stop printing units as soon as possible
(eg. if we have three years and five days and precision is 0
print only 3y5d).
- If precision is not 0, print all units (eg. 3y0d0h0m0s.00).
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
the existing file descriptor. Instead, let dup2() atomically close the
old file descriptor when assigning the newly opened file to the same
descriptor. This closes a race in a multithreaded application where a
concurrent open() could allocate the existing file descriptor in between
the calls to close() and dup2().
PR: threads/79887
Submitted by: Dmitrij Tejblum tejblum of yandex-team.ru
Reviewed by: davidxu
MFC after: 1 week
|
| |
|
|
|
|
| |
PR: bin/152551
Submitted by: Henning Petersen <henning.petersen t-online.de>
MFC after: 2 weeks
|
| |
|
|
|
|
|
| |
r197752, which is related to handling of null buffer pointers. Also
make a few minor wording changes.
Reported by: jh@
|
| |
|
|
| |
Approved by: rrs (mentor)
|
| |
|
|
| |
Approved by: rrs (mentor)
|
| |
|
|
|
|
|
|
|
|
|
| |
bottom of the manpages and order them consistently.
GNU groff doesn't care about the ordering, and doesn't even mention
CAVEATS and SECURITY CONSIDERATIONS as common sections and where to put
them.
Found by: mdocml lint run
Reviewed by: ru
|
| |
|
|
| |
Reviewed by: brueffer
|
| |
|
|
| |
Reviewed by: brueffer
|
| |
|
|
| |
ANSIfy vasprintf() while I'm here.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
by *sprintf(), etc.
- Explicitly initialize _fl_mutex to PTHREAD_MUTEX_INITIALIZER for all FILE
objects. This is currently a nop on FreeBSD, but is import for other
platforms (or in the future) where PTHREAD_MUTEX_INITIALIZER is not simply
zero.
PR: threads/141198
Reported by: Jeremy Huddleston @ Apple
MFC after: 2 weeks
|
| |
|
|
|
|
|
|
| |
MAXPATHLEN. Otherwise the path name (or part of it) may not fit to
carrybuf causing a buffer overflow.
PR: bin/140228
Suggested by: jilles
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Prior to this commit, fread/fwrite calls with size * nmemb > SIZE_MAX
were handled by reading or writing (size_t)(size * nmemb) bytes; for
example, on 32-bit platforms, fread(ptr, 641, 6700417, f) would read 1
byte and indicate that the requested 6700417 blocks had been read.
This commit adds a check for such integer overflows, and treats them as
if an overly large request was passed to read/write; i.e., it sets errno
to EINVAL, sets the error indicator on the file, and returns a short
object count (0, to be specific).
The overflow check involves an integer division, so as a performance
optimization we check first to see if both size and nmemb are less than
2^16; if they are, no overflow is possible and we avoid the division.
We assume here that size_t is at least 32 bits; this appears to be true
on all platforms FreeBSD supports.
Although this commit fixes an integer overflow, it is not likely to have
any security implications, since any program which would be affected by
this bug fix is quite clearly already very confused.
Reviewed by: kib
MFC after: 1 month
|
| |
|
|
|
|
| |
PR: 140494
Submitted by: Jeremy Huddleston <jeremyhu@apple.com>, bde
MFC after: 1 week
|
| |
|
|
|
|
| |
PR: bin/140496
Submitted by: Jeremy Huddleston <jeremyhu apple.com>
MFC after: 1 month
|
| |
|
|
|
|
| |
PR: bin/140530
Submitted by: Jeremy Huddleston <jeremyhu apple.com>
MFC after: 1 month
|
| |
|
|
| |
MFC after: 1 month
|
| | |
|
| |
|
|
|
| |
I've only fixed code that seems to be written by `us'. There are still
many warnings like this present in resolv/, rpc/, stdtime/ and yp/.
|
| |
|
|
|
|
| |
PR: 141087
Submitted by: Jeremy Huddleston <jeremyhu@apple.com>
MFC after: 3 days
|
| |
|
|
|
| |
Found by: Clang static analyzer
MFC after: 7 days
|
| |
|
|
|
|
|
|
| |
and moving the default initialization of prec into the else clause.
The clang static analyzer erroneously thought that nsec can be used
uninitialized here; it was not actually possible, but better to make
the code clearer. (Clang can't know that sprintf() won't modify *pi
behind the scenes.)
|
| |
|
|
|
|
|
|
|
| |
uninitialized. Initialize it to a safe value so that there's no
chance of returning an error if stack garbage happens to be equal to
(size_t)-1 or (size_t)-2.
Found by: Clang static analyzer
MFC after: 7 days
|
| |
|
|
|
| |
Found by: Clang static analyzer
MFC after: 7 days
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Tolerate applications that pass a NULL pointer for the buffer and
claim that the capacity of the buffer is nonzero.
- If an application passes in a non-NULL buffer pointer and claims the
buffer has zero capacity, we should free (well, realloc) it
anyway. It could have been obtained from malloc(0), so failing to
free it would be a small memory leak.
MFC After: 2 weeks
Reported by: naddy
PR: ports/138320
|
| |
|
|
|
|
|
| |
If you have a one-byte sequence, `w', `b' is the second character. Not
the third.
Submitted by: Christoph Mallon
|
| |
|
|
|
|
|
|
| |
Right now nmemb is returned when size is 0. In newer versions of the
standards, it is explicitly required that fwrite() should return 0.
Submitted by: Christoph Mallon
Approved by: re (kib)
|
| |
|
|
|
|
|
|
| |
because it means getdelim() returns -1 for both error and EOF, and
never returns 0. However, this is what the original GNU implementation
does, and POSIX inherited the bug.
Reported by: marcus@
|
| |
|
|
|
|
| |
dprintf() is a simple wrapper around another function, so we may as
well implement it. But also like getline(), we can't prototype it by
default right now because it would break too many ports.
|
| |
|
|
|
| |
number of functions that have an incestuous relationship with the
arcane innards of stdio.
|
| |
|
|
| |
a size_t *, although the distinction is moot in practice.
|
| |
|
|
| |
Reviewed by: md5(1)
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
wcscasecmp(), and wcsncasecmp().
- Make some previously non-standard extensions visible
if POSIX_VISIBLE >= 200809.
- Use restrict qualifiers in stpcpy().
- Declare off_t and size_t in stdio.h.
- Bump __FreeBSD_version in case the new symbols (particularly
getline()) cause issues with ports.
Reviewed by: standards@
|
| |
|
|
|
|
|
| |
Fix harmless but related bugs in %_$zd and %_$tu.
PR: 131880
MFC after: 1 week
|
| |
|
|
| |
Submitted by: keramida and jhb
|
