Fix out of bounds read in printf

elttil · elttil · commit 28a06e967d7c · 2025-11-10T17:17:35.000+01:00
When printf is given the format '%*' it would overflow and print environment variables. This fixes issue #574.
diff --git a/toys/posix/printf.c b/toys/posix/printf.c
@@ -97,7 +97,7 @@ void printf_main(void)
 
         // Parse width.precision between % and type indicator.
         *to++ = '%';
-        while (strchr("-+# '0", *f) && (to-toybuf)<10) *to++ = *f++;
+        while (stridx("-+# '0", *f) != -1 && (to-toybuf)<10) *to++ = *f++;
         for (;;) {
           if (chrstart(&f, '*')) {
             if (*arg) wp[i] = atolx(*arg++);
@@ -118,15 +118,15 @@ void printf_main(void)
           continue;
         } else if (c == 'c') printf(toybuf, wp[0], wp[1], *aa);
         else if (c == 's') printf(toybuf, wp[0], wp[1], aa);
-        else if (strchr("diouxX", c)) {
+        else if (stridx("diouxX", c) != -1) {
           long long ll;
 
           if (*aa == '\'' || *aa == '"') ll = aa[1];
           else ll = strtoll(aa, &end, 0);
 
           sprintf(to, "*.*ll%c", c);
           printf(toybuf, wp[0], wp[1], ll);
-        } else if (strchr("feEgG", c)) {
+        } else if (stridx("feEgG", c) != -1) {
           long double ld = strtold(aa, &end);
 
           sprintf(to, "*.*L%c", c);
