Don't use %n on glibc >= 2.3 systems.

diff --git a/ChangeLog b/ChangeLog
index 73ac493f840032d8525f9e2334650de16c918b21..2a3499900c015b97eb6d40ade8bd885e8427b7b0 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2007-10-18  Bruno Haible  <bruno@clisp.org>
+
+       * m4/vasnprintf.m4 (VASNPRINTF): Don't use %n on glibc >= 2.3 systems.
+       Reported by Jim Meyering.
+
 2007-10-18  Eric Blake  <ebb9@byu.net>
 
        * modules/filenamecat-tests (Makefile.am): Link against -lintl.

diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
index f56382334919f19824971ece142a18194e211fba..5d818aa6424919f9b02fa385247dad51b4a0c99a 100644 (file)
--- a/lib/vasnprintf.c
+++ b/lib/vasnprintf.c
@@ -3385,9 +3385,21 @@ VASNPRINTF (DCHAR_T *resultbuf, size_t *lengthp,
 #endif
                  *fbp = dp->conversion;
 #if USE_SNPRINTF
+# if !(__GLIBC__ > 2 || (__GLIBC__ == 2 && __GLIBC_MINOR__ >= 3))
                fbp[1] = '%';
                fbp[2] = 'n';
                fbp[3] = '\0';
+# else
+               /* On glibc2 systems from glibc >= 2.3 - probably also older
+                  ones - we know that snprintf's returns value conforms to
+                  ISO C 99: the gl_SNPRINTF_DIRECTIVE_N test passes.
+                  Therefore we can avoid using %n in this situation.
+                  On glibc2 systems from 2004-10-18 or newer, the use of %n
+                  in format strings in writable memory may crash the program
+                  (if compiled with _FORTIFY_SOURCE=2), so we should avoid it
+                  in this situation.  */
+               fbp[1] = '\0';
+# endif
 #else
                fbp[1] = '\0';
 #endif