From: arne@vajhoej.dk

On 6/23/2025 6:33 PM, Craig A. Berry wrote:
> I haven't had time yet to dig into why the replacement wasn't working.

I did a little digging.

tds_vasprintf contains:

// fp = NLA0:
len = vfprintf(fp, fmt, ap);
// buf = malloc(len + 1)
if (vsprintf(buf, fmt, ap) != len)
     return -1;

And the test fails.

And it can be recreated outside of FreeTDS.

$ type zzzz.c
#include 
#include 

void test(const char *fmt, ...)
{
     va_list ap;
     va_start(ap, fmt);
     int len_1 = vfprintf(stdout, fmt, ap);
//    va_end(ap);
     fprintf(stdout, " [len=%d]\n", len_1);
     char buf[1000];
//    va_start(ap, fmt);
     int len_2 = vsprintf(buf, fmt, ap);
     va_end(ap);
     printf("%s [len=%d]\n", buf,len_2);
}

int main(int argc, char *argv[])
{
     test("INSERT INTO t1 VALUES(%d, '%s')", 999, "XXX");
     test("INSERT INTO t1 VALUES(%d, '%s')", 999, "XXX");
     test("INSERT INTO t1 VALUES(%d, '%s')", 999, "XXX");
     return 0;
}
$ cc zzzz
$ link zzzz
$ r zzzz
INSERT INTO t1 VALUES(999, 'XXX') [len=33]
INSERT INTO t1 VALUES(2060040508, '') [len=37]
INSERT INTO t1 VALUES(999, 'XXX') [len=33]
INSERT INTO t1 VALUES(2068038401, '') [len=37]
INSERT INTO t1 VALUES(999, 'XXX') [len=33]
INSERT INTO t1 VALUES(2068038401, '') [len=37]

It seems like vfprintf mess up ap so it is no longer good
for vsprintf.

And that is supposedly perfectly legal. C99 says:


As the functions vfprintf, vfscanf, vprintf, vscanf, vsnprintf,
vsprintf, and
vsscanf invoke the va_arg macro, the value of arg after the return is
indeterminate.


Unfortunately that means that the entire fallback algorithm
in tds_vasprintf (write to null device to find output size,
allocate buffer of correct size and then write to buffer)
is broken.

Arne

--- SoupGate-Win32 v1.05
 * Origin: you cannot sedate... all the things you hate (1:229/2)