From nobody@FreeBSD.org  Fri Aug  9 00:55:54 2013
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTP id 8E152EBA
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  9 Aug 2013 00:55:54 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from oldred.freebsd.org (oldred.freebsd.org [8.8.178.121])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 7ADE12FEA
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  9 Aug 2013 00:55:54 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id r790tsCB028204
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 9 Aug 2013 00:55:54 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id r790tsPF028203;
	Fri, 9 Aug 2013 00:55:54 GMT
	(envelope-from nobody)
Message-Id: <201308090055.r790tsPF028203@oldred.freebsd.org>
Date: Fri, 9 Aug 2013 00:55:54 GMT
From: Garrett Cooper <yaneurabeya@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: snprintf with out of bounds positional arguments results in segfault
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         181154
>Category:       kern
>Synopsis:       [libc] snprintf(3) with out of bounds positional arguments results in segfault
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 09 01:00:00 UTC 2013
>Closed-Date:    
>Last-Modified:  Fri Aug 09 01:24:22 UTC 2013
>Originator:     Garrett Cooper
>Release:        10-CURRENT
>Organization:
EMC Isilon
>Environment:
>Description:
The following piece of test code...

ATF_TC(snprintf_posarg_error);
ATF_TC_HEAD(snprintf_posarg_error, tc)
{

        atf_tc_set_md_var(tc, "descr", "test for positional arguments out "
            "of bounds");
}

ATF_TC_BODY(snprintf_posarg_error, tc)
{
        char s[16], fmt[32];

        snprintf(fmt, sizeof(fmt), "%%%zu$d", SIZE_MAX / sizeof(size_t));

        ATF_CHECK(snprintf(s, sizeof(s), fmt, -23) == -1);
}

Produces this segfault:

tc-start: 1376007948.899132, snprintf_posarg_error
tc-se:Test program crashed; attempting to get stack trace
tc-se:Core was generated by `t_printf'.
tc-se:Program terminated with signal 11, Segmentation fault.
tc-se:#0  0x28186bc3 in vfprintf () from /lib/libc.so.7
tc-se:Stack trace complete
tc-end: 1376007948.947316, snprintf_posarg_error, failed, Test program received signal 11 (core dumped)
>How-To-Repeat:

>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:
