-------------------------------------------------------------------------------

Tue Jul 22 14:38:28 EDT 1997

Called it in C970722-3961

Tue Jul 22 14:48:57 EDT 1997

Called back.  Got here email.  Mailing my code to her.

Wed Jul 23 15:53:13 EDT 1997

Ann called me back to guage the status of the problem.

[[ At some point they called me and announced that all I had to do was
to add a \0 right before the end of the block in the below test
program.  I had to explain to them that I had engineered the program
to demonstrate the bug and that we had seen the problem in live
service under a couple of different situations.  The dude sounded so
disappointed on the other end. ]]

-------------------------------------------------------------------------------

Later...

Admitted that there was indeed a problem with the [s]printf calls.
They had a "meeting" about it and determined that they were deviating
from the specification and they are generating a patch.

-------------------------------------------------------------------------------

Wed Nov 19 18:27:13 EST 1997

Lib Printf Bug

2.3G-3
4.0B-5

- 4.0B-5 core problem with xterm.

-------------------------------------------------------------------------------

/*
 * The following code documents the problem.  When you use "%.*s" type
 * of printf pattern, regardless of the value that you are passing in
 * as the maximum string size, the stdio library will call a strlen on
 * the string.  This means that if you are in them middle of a large
 * block of characters without a '\0' in site, this will slow your
 * program down immensely.  In addition, it may cause an invalid
 * address to be referenced if you are at the end of the mmap segment.
 */

#include <stdio.h>
#include <sys/mman.h>

#define SIZE	(16 * 1024)
#define STRING	"test"

main()
{
  char	*addr, *dest;
  int	fd, len;
  
  fd = open("/dev/zero", 0, 0);
  if (fd < 0) {
    perror("/dev/zero");
    exit(1);
  }
  
  addr = mmap(0L, SIZE, PROT_READ | PROT_WRITE,
	      MAP_PRIVATE | MAP_FILE | MAP_VARIABLE, fd, 0);
  (void)close(fd);
  
  if (addr == (char *)MAP_FAILED) {
    perror("mmap");
    exit(1);
  }
  
  len = strlen(STRING);
  dest = addr + SIZE - len;
  memcpy(dest, STRING, len);
  
  /* this works */
  fwrite(dest, sizeof(char), len, stdout);
  fputc('\n', stdout);
  fflush(stdout);
  
  /* this tries to do a strlen on dest and goes past len to seg fault */
  printf("%.*s\n", len, dest);
  
  return 0;
}