From: "utkarshkukreti (Utkarsh Kukreti)" Date: 2013-09-10T21:40:08+09:00 Subject: [ruby-core:57110] [ruby-trunk - Bug #8864] sprintf segfaults with too high precision Issue #8864 has been updated by utkarshkukreti (Utkarsh Kukreti). I'm trying to write a patch for this (my first contribution actually), and I'll really appreciate some help. I've found the cause -- the buffer sent to `cvt()` function in vsnprintf.c is allocated on the stack with a fixed size of `#define BUF (MAXEXP+MAXFRACT+1)` [here]( https://github.com/ruby/ruby/blob/5b46f6c602c24c9cdf995914fc6998981f1e53ec/vsnprintf.c#L502) which on my machine is `1024 + 64 + 1 == 1089`, and the data is written to it without any bounds check, which causes the segfault. I can think of two possible solutions: 1. Limit the precision a user can specify on a call to sprintf to `MAXFRACT`. 2. `malloc` the actual required memory when it's greater than the defined constant `BUF`, and `free` it before returning from the function. I think (2) is the best solution here. What do you all think? Also, what functions should I use to allocate/free memory inside `vsnprintf`? ---------------------------------------- Bug #8864: sprintf segfaults with too high precision https://bugs.ruby-lang.org/issues/8864#change-41720 Author: Aaronneyer (Aaron Neyer) Status: Open Priority: Normal Assignee: Category: Target version: ruby -v: Backport: In any Ruby version (attempted with 1.8.7, 1.9.3, and 2.0.0), specifying a very large precision in sprintf can cause a segmentation fault. The following code will cause the segmentation fault. `"%.99999f" % 10` The number to cause a segfault is dependent on the system. On my laptop, any number above 1100 would cause it, and on an EC2 micro instance, around 2500 was the limit. -- http://bugs.ruby-lang.org/