From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.0) Gecko/20020529 Description of problem: Routine register_printf_function() in stdio-common/reg-printf.c forgets to clear the table when allocating it, before inserting the first translation function. The table is consulted for all format characters, not just those that use the registered arginfo or functions. So if malloc() happens to return a block that was used before, then parse_one_spec() will go wrong if the consulted slot has non-zero garbage. Version-Release number of selected component (if applicable): glibc-2.3.2-11.9 How reproducible: Always Steps to Reproduce: 1. Run testcase stdio-common/tst-printfsz. 2. Watch as parse_one_spec() examines the entry for 'g' which has not been initialized. 3. Actual Results: __printf_arginfo_table['g'] and __printf_function_table['g'] are used even though they have not been initialized. In the usual case, malloc() without any preceding free() happens to return zeroed memory [as if calloc()]. Expected Results: _printf_arginfo_table and __printf_function_table should be initialized before use. Additional info: Fix: s/malloc/calloc/ in stdio-common/reg-printf.c line 49. This could have been detected by running valgrind (or any other uninit memory detector) when running the glibc testcases.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2003-136.html