Don't assume nul termination in printf

vitaut · vitaut · commit 66800a755a8b · 2026-03-23T10:45:34.000-07:00
Thanks ZUENS2020 for reporting.
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
@@ -48,6 +48,8 @@ jobs:
           - cxx: clang++-14
             build_type: Debug
             std: 20
+            cxxflags: -fsanitize=address,undefined
+            cxxflags_extra: -fno-sanitize-recover=all -fno-omit-frame-pointer
           - cxx: clang++-14
             build_type: Debug
             std: 20
@@ -154,7 +156,7 @@ jobs:
       working-directory: ${{runner.workspace}}/build
       env:
         CXX: ${{matrix.cxx}}
-        CXXFLAGS: ${{matrix.cxxflags}}
+        CXXFLAGS: ${{matrix.cxxflags}} ${{matrix.cxxflags_extra}}
       run: |
         cmake -DCMAKE_BUILD_TYPE=${{matrix.build_type}} \
               -DCMAKE_CXX_STANDARD=${{matrix.std}} \
diff --git a/include/fmt/printf.h b/include/fmt/printf.h
@@ -330,6 +330,7 @@ template <typename Char, typename GetArg>
 auto parse_header(const Char*& it, const Char* end, format_specs& specs,
                   GetArg get_arg) -> int {
   int arg_index = -1;
+  if (it == end) return arg_index;
   Char c = *it;
   if (c >= '0' && c <= '9') {
     // Parse an argument index (if followed by '$') or a width possibly
diff --git a/test/printf-test.cc b/test/printf-test.cc
@@ -313,7 +313,8 @@ TEST(printf_test, positional_precision) {
   EXPECT_EQ("Hell", test_sprintf("%2$.*1$s", 4, "Hello"));
   EXPECT_THROW_MSG(test_sprintf("%2$.*1$d", 5.0, 42), format_error,
                    "precision is not integer");
-  EXPECT_THROW_MSG(test_sprintf("%2$.*1$d"), format_error, "argument not found");
+  EXPECT_THROW_MSG(test_sprintf("%2$.*1$d"), format_error,
+                   "argument not found");
   EXPECT_THROW_MSG(test_sprintf("%2$.*1$d", big_num, 42), format_error,
                    "number is too big");
 }
@@ -322,7 +323,8 @@ TEST(printf_test, positional_width_and_precision) {
   EXPECT_EQ("  00042", test_sprintf("%3$*1$.*2$d", 7, 5, 42));
   EXPECT_EQ("     ab", test_sprintf("%3$*1$.*2$s", 7, 2, "abcdef"));
   EXPECT_EQ("  00042", test_sprintf("%3$*1$.*2$x", 7, 5, 0x42));
-  EXPECT_EQ("100.4400000", test_sprintf("%6$-*5$.*4$f%3$s%2$s%1$s", "", "", "", 7, 4, 100.44));
+  EXPECT_EQ("100.4400000",
+            test_sprintf("%6$-*5$.*4$f%3$s%2$s%1$s", "", "", "", 7, 4, 100.44));
 }
 
 template <typename T> struct make_signed {
@@ -555,3 +557,8 @@ TEST(printf_test, make_printf_args) {
             fmt::vsprintf(fmt::basic_string_view<wchar_t>(L"[%d] %s happened"),
                           {fmt::make_printf_args<wchar_t>(n, L"something")}));
 }
+
+TEST(printf_test, trailing_percent_non_nul_terminated) {
+  auto p = std::unique_ptr<char>(new char('%'));
+  EXPECT_THROW(fmt::sprintf(fmt::string_view(p.get(), 1)), format_error);
+}
