Dear uclibc-ng developers,
We have run a static analysis tool (Klocwork) in uclibc and one of its checkers (ABV.GENERAL) indicates a potential buffer overflow in uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045
The problem occurs as an out-of-bounds access to array 'argtype', which is a member of 'ppfs_t'. This array has length 'MAX_ARGS'. According to the static analysis tool, the array can be accessed using index 'n' of value '-1' and '9..254' in the conditional shown below:
// File: uclibc-ng/src/master/libc/stdio/_vfprintf.c:1045 if (_is_equal_or_bigger_arg(ppfs->argtype[n], argtype[i])) { ppfs->argtype[n] = argtype[i]; }
Triggering an out-of-bounds access for 'n=-1' is relatively simply when using printf or similar functions (e.g. vfprintf). Such out-of-bounds access occurs when positional arguments are specified, as in the following statement:
printf("%1$s", "Hello world!");
Although Klocwork claims that the array might be accessed using indexes '9..254', we were not able to trigger an out-of-bounds access for indexes in this range.
Kind regards, Diego Dias