• Noah Misch's avatar
    Add error-throwing wrappers for the printf family of functions. · 16304a01
    Noah Misch authored
    All known standard library implementations of these functions can fail
    with ENOMEM.  A caller neglecting to check for failure would experience
    missing output, information exposure, or a crash.  Check return values
    within wrappers and code, currently just snprintf.c, that bypasses the
    wrappers.  The wrappers do not return after an error, so their callers
    need not check.  Back-patch to 9.0 (all supported versions).
    
    Popular free software standard library implementations do take pains to
    bypass malloc() in simple cases, but they risk ENOMEM for floating point
    numbers, positional arguments, large field widths, and large precisions.
    No specification demands such caution, so this commit regards every call
    to a printf family function as a potential threat.
    
    Injecting the wrappers implicitly is a compromise between patch scope
    and design goals.  I would prefer to edit each call site to name a
    wrapper explicitly.  libpq and the ECPG libraries would, ideally, convey
    errors to the caller rather than abort().  All that would be painfully
    invasive for a back-patched security fix, hence this compromise.
    
    Security: CVE-2015-3166
    16304a01
Mkvcbuild.pm 28.3 KB