Four small fixes found during an audit of lib/vsprintf.c:

1. bstr_printf() fails to advance the args pointer past a
   pre-rendered pointer string when the output buffer is full,
   corrupting all subsequent output.

2. vbin_printf() writes end[-1] unconditionally when NUL-terminating
   a pointer string, which is an OOB write when size is zero.

3. vsscanf() uses s16 for field_width but assigns from skip_atoi()
   which returns int, silently truncating large widths to negative
   and aborting parsing.

4. format_decode() is missing a (u8) cast on the second lookup into
   the format_state table, allowing a negative array index on
   signed-char platforms.

Josh Law (4):
  lib/vsprintf: always advance args in bstr_printf() pointer path
  lib/vsprintf: fix OOB write in vbin_printf() when size is zero
  lib/vsprintf: use int for field_width in vsscanf()
  lib/vsprintf: add missing (u8) cast in format_decode() lookup

 lib/vsprintf.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

-- 
2.34.1

On Tue, Mar 24, 2026 at 10:49:36PM +0000, Josh Law wrote:
> Four small fixes found during an audit of lib/vsprintf.c:
> 
> 1. bstr_printf() fails to advance the args pointer past a
>    pre-rendered pointer string when the output buffer is full,
>    corrupting all subsequent output.
> 
> 2. vbin_printf() writes end[-1] unconditionally when NUL-terminating
>    a pointer string, which is an OOB write when size is zero.
> 
> 3. vsscanf() uses s16 for field_width but assigns from skip_atoi()
>    which returns int, silently truncating large widths to negative
>    and aborting parsing.
> 
> 4. format_decode() is missing a (u8) cast on the second lookup into
>    the format_state table, allowing a negative array index on
>    signed-char platforms.

These all needs a good review. And I think binary printf() might have
a bit different rules on how to propagate the pointer in the buffer.
To me these might fix something or might break something or do nothing
(like in patch 4) due to lack of expertise in the area.

So, I am skeptical about accepting that series, sorry. But I leave it
to others to decide, not giving any tag here.

-- 
With Best Regards,
Andy Shevchenko

On 25 March 2026 12:05:24 GMT, Andy Shevchenko <andriy.shevchenko@linux.intel.com> wrote:
>On Tue, Mar 24, 2026 at 10:49:36PM +0000, Josh Law wrote:
>> Four small fixes found during an audit of lib/vsprintf.c:
>> 
>> 1. bstr_printf() fails to advance the args pointer past a
>>    pre-rendered pointer string when the output buffer is full,
>>    corrupting all subsequent output.
>> 
>> 2. vbin_printf() writes end[-1] unconditionally when NUL-terminating
>>    a pointer string, which is an OOB write when size is zero.
>> 
>> 3. vsscanf() uses s16 for field_width but assigns from skip_atoi()
>>    which returns int, silently truncating large widths to negative
>>    and aborting parsing.
>> 
>> 4. format_decode() is missing a (u8) cast on the second lookup into
>>    the format_state table, allowing a negative array index on
>>    signed-char platforms.
>
>These all needs a good review. And I think binary printf() might have
>a bit different rules on how to propagate the pointer in the buffer.
>To me these might fix something or might break something or do nothing
>(like in patch 4) due to lack of expertise in the area.
>
>So, I am skeptical about accepting that series, sorry. But I leave it
>to others to decide, not giving any tag here.
>



Yep! That's absolutely fine! If you would like any patches dropped, just tell me and I'll do it!

I hope I improved vsprintf with these patches, seriously haha


V/R


Josh Law