...
Because C99 allows NULL to be either an integer constant or a pointer constant, any architecture where integers are int is not the same size as pointers a pointer might present a particular vulnerability with variadic functions. If NULL is defined as an integer int on such a platform, then sizeof(NULL) != sizeof(void *). Consequently, variadic functions that accept an argument of pointer type will not correctly promote NULL, resulting in undefined behavior. Consequently, which case the following code may will have undefined behavior:
| Code Block | ||
|---|---|---|
| ||
printf("%s %p %d\n", NULL, 1);
printf("%s\n", NULL);
|
On a system with 32-bit int and 64-bit pointers, printf() may interpret the NULL as high-order bits of the pointer and the third argument 1 as the low-order bits of the pointer. In this case, printf() will print a pointer with the value 0x00000001 and then attempt to read an additional argument for the %d conversion specifier which was not provided.
...
| Code Block | ||
|---|---|---|
| ||
printf("%s %p %d\n", (void *)NULL, 1);
printf("%s\n", (char *)NULL);
|
Risk Assessment
Inconsistent typing in variadic functions can result in abnormal program termination or unintended information disclosure.
...