This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
snprintf allocates memory?!?
- From: Jim Meyering <jim at meyering dot net>
- To: libc-alpha at sourceware dot org
- Date: Thu, 10 Apr 2008 22:15:10 +0200
- Subject: snprintf allocates memory?!?
There is a surprising bug in glibc's snprintf:
it can _allocate memory_ (and an arbitrarily large amount)
even for a tiny buffer. Just filed as BZ 441945.
Obviously, snprintf should never need to call malloc.
/* snprintf should not allocate memory, *ever*.
POSIX says that snprintf may fail with EOVERFLOW (n > INT_MAX or size of
output would exceed INT_MAX). It appears not to allow failure with ENOMEM,
as happens here:
$ zsh -c 'ulimit -v 5000; ./a.out %$[5*2**20]d'
fmt: %5242880d retval=-1 errno=Cannot allocate memory
# Same with bash, but it requires more memory:
$ bash -c 'ulimit -v 12000; ./a.out %$[12*2**20]d'
*/
#include <stdio.h>
#include <string.h>
#include <errno.h>
int
main(int argc, char **argv)
{
char buf[200];
char *fmt = argv[1];
if (argc < 2)
return 1;
int n = snprintf (buf, sizeof buf, fmt, 1);
int saved_errno = errno;
printf ("fmt: %s retval=%d errno=%s\n", fmt, n,
n < 0 ? strerror(saved_errno) : "");
return 0;
}