[PATCH 0/4] lib/vsprintf: assorted bug fixes

Next message: Alexander Popov: "[PATCH] wifi: virt_wifi: remove SET_NETDEV_DEV to avoid use-after-free"
Previous message: Jihed Chaibi: "[PATCH] ASoC: fsl: mpc5200_dma: Convert to devm_ioremap()"
Next in thread: Josh Law: "[PATCH 2/4] lib/vsprintf: fix OOB write in vbin_printf() when size is zero"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Josh Law

Date: Tue Mar 24 2026 - 18:50:22 EST

Four small fixes found during an audit of lib/vsprintf.c:

1. bstr_printf() fails to advance the args pointer past a
pre-rendered pointer string when the output buffer is full,
corrupting all subsequent output.

2. vbin_printf() writes end[-1] unconditionally when NUL-terminating
a pointer string, which is an OOB write when size is zero.

3. vsscanf() uses s16 for field_width but assigns from skip_atoi()
which returns int, silently truncating large widths to negative
and aborting parsing.

4. format_decode() is missing a (u8) cast on the second lookup into
the format_state table, allowing a negative array index on
signed-char platforms.

Josh Law (4):
lib/vsprintf: always advance args in bstr_printf() pointer path
lib/vsprintf: fix OOB write in vbin_printf() when size is zero
lib/vsprintf: use int for field_width in vsscanf()
lib/vsprintf: add missing (u8) cast in format_decode() lookup

lib/vsprintf.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)

--
2.34.1