From 0952940a242d8909da60d3ebde6059b47579f530 Mon Sep 17 00:00:00 2001 From: Scott Guest Date: Mon, 2 Oct 2023 10:43:10 -0400 Subject: [PATCH] Add calls to `va_copy` and `va_end` to fix UB in `sfprintf` (#850) Using the same `va_list` multiple times is UB, and we should call `va_copy` before each use instead. We also need to call `va_end`. (Pulling this out from the #828 because it was reverted). --------- Co-authored-by: rv-jenkins --- nix/llvm-backend-matching.mavenix.lock | 12 ++++++------ runtime/util/ConfigurationPrinter.cpp | 14 ++++++++++++-- 2 files changed, 18 insertions(+), 8 deletions(-) diff --git a/nix/llvm-backend-matching.mavenix.lock b/nix/llvm-backend-matching.mavenix.lock index 0af5142b1..bb69ca83d 100644 --- a/nix/llvm-backend-matching.mavenix.lock +++ b/nix/llvm-backend-matching.mavenix.lock @@ -246,15 +246,15 @@ "sha1": "fdec6f2d2514787039928bcb781f9e67f4738899" }, { - "path": "com/runtimeverification/k/kore/1.0-SNAPSHOT/kore-1.0-20230929.174637-28.jar", - "sha1": "eb69f46a691abd910e46a6f37b721066e9adc804" + "path": "com/runtimeverification/k/kore/1.0-SNAPSHOT/kore-1.0-20230930.025149-29.jar", + "sha1": "04972642a285d27d20767761d593840798a5ffd5" }, { - "path": "com/runtimeverification/k/kore/1.0-SNAPSHOT/kore-1.0-20230929.174637-28.pom", + "path": "com/runtimeverification/k/kore/1.0-SNAPSHOT/kore-1.0-20230930.025149-29.pom", "sha1": "2706d868319a03bc491350cb3a1af0927ef1a839" }, { - "path": "com/runtimeverification/k/parent/1.0-SNAPSHOT/parent-1.0-20230929.174609-28.pom", + "path": "com/runtimeverification/k/parent/1.0-SNAPSHOT/parent-1.0-20230930.025126-29.pom", "sha1": "62b92746f9104b7966075e98dc7b69c44475c72c" }, { @@ -5337,11 +5337,11 @@ "groupId": "com.runtimeverification.k", "metas": [ { - "content": "\n\n com.runtimeverification.k\n kore\n 1.0-SNAPSHOT\n \n \n 20230929.174637\n 28\n \n 20230929174637\n \n \n jar\n 1.0-20230929.174637-28\n 20230929174637\n \n \n pom\n 1.0-20230929.174637-28\n 20230929174637\n \n \n \n", + "content": "\n\n com.runtimeverification.k\n kore\n 1.0-SNAPSHOT\n \n \n 20230930.025149\n 29\n \n 20230930025149\n \n \n jar\n 1.0-20230930.025149-29\n 20230930025149\n \n \n pom\n 1.0-20230930.025149-29\n 20230930025149\n \n \n \n", "path": "com/runtimeverification/k/kore/1.0-SNAPSHOT" }, { - "content": "\n\n com.runtimeverification.k\n parent\n 1.0-SNAPSHOT\n \n \n 20230929.174609\n 28\n \n 20230929174609\n \n \n pom\n 1.0-20230929.174609-28\n 20230929174609\n \n \n \n", + "content": "\n\n com.runtimeverification.k\n parent\n 1.0-SNAPSHOT\n \n \n 20230930.025126\n 29\n \n 20230930025126\n \n \n pom\n 1.0-20230930.025126-29\n 20230930025126\n \n \n \n", "path": "com/runtimeverification/k/parent/1.0-SNAPSHOT" } ], diff --git a/runtime/util/ConfigurationPrinter.cpp b/runtime/util/ConfigurationPrinter.cpp index 66e57e0f1..894b9aed4 100644 --- a/runtime/util/ConfigurationPrinter.cpp +++ b/runtime/util/ConfigurationPrinter.cpp @@ -90,6 +90,8 @@ void sfprintf(writer *file, const char *fmt, ...) { } else { char buf[8192]; char *finalBuf = buf; + va_list args_copy; + va_copy(args_copy, args); int res = vsnprintf( buf + sizeof(blockheader), sizeof(buf) - sizeof(blockheader), fmt, args); @@ -97,23 +99,31 @@ void sfprintf(writer *file, const char *fmt, ...) { size_t size = sizeof(buf) * 2; finalBuf = (char *)malloc(size); memcpy(finalBuf, buf, sizeof(buf)); + va_list args_temp; + va_copy(args_temp, args_copy); res = vsnprintf( finalBuf + sizeof(blockheader), size - sizeof(blockheader), fmt, - args); + args_temp); + va_end(args_temp); if (res >= size - sizeof(blockheader)) { do { size *= 2; finalBuf = (char *)realloc(finalBuf, size); + va_list args_temp; + va_copy(args_temp, args_copy); res = vsnprintf( finalBuf + sizeof(blockheader), size - sizeof(blockheader), fmt, - args); + args_temp); + va_end(args_temp); } while (res >= size - sizeof(blockheader)); } } + va_end(args_copy); string *str = (string *)finalBuf; init_with_len(str, res); hook_BUFFER_concat(file->buffer, str); } + va_end(args); } void printComma(writer *file, void *state) {