Re: [PATCH 1/4] lib/vsprintf: always advance args in bstr_printf() pointer path

Next message: Pawan Gupta: "Re: [PATCH v8 00/10] VMSCAPE optimization for BHI variant"
Previous message: Mathieu Poirier: "Re: [PATCH v2 2/3] remoteproc: imx_rproc: Pass bootaddr to SM CPU/LMM reset vector"
In reply to: Josh Law: "[PATCH 1/4] lib/vsprintf: always advance args in bstr_printf() pointer path"
Next in thread: Andy Shevchenko: "Re: [PATCH 0/4] lib/vsprintf: assorted bug fixes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Petr Mladek

Date: Mon Mar 30 2026 - 12:24:20 EST

On Tue 2026-03-24 22:49:37, Josh Law wrote:
> When the output buffer is full (str >= end), bstr_printf() skips
> advancing the args pointer past the pre-rendered pointer string in
> bin_buf. This causes all subsequent format specifiers to read from
> the wrong position, corrupting the rest of the output.
>
> Always compute the string length and advance args regardless of
> whether there is space to copy into the output buffer.
>
> Signed-off-by: Josh Law <objecting@xxxxxxxxxxxxx>

It looks correct to me. It is interesting that nobody found it yet.
But I guess that all users of bstr_printf() are using big enough
buffers so that it is hard to hit in practice.

Reviewed-by: Petr Mladek <pmladek@xxxxxxxx>

Best Regards,
Petr