Skip to content

Fix out of bounds read in printf with trailing '%'#102472

Merged
Algunenano merged 1 commit intoClickHouse:masterfrom
Algunenano:fmt_oob
Apr 12, 2026
Merged

Fix out of bounds read in printf with trailing '%'#102472
Algunenano merged 1 commit intoClickHouse:masterfrom
Algunenano:fmt_oob

Conversation

@Algunenano
Copy link
Copy Markdown
Member

@Algunenano Algunenano commented Apr 11, 2026

Changelog category (leave one):

  • Bug Fix (user-visible misbehavior in an official stable release)

Changelog entry (a user-readable short description of the changes that goes into CHANGELOG.md):

Fix out of bounds read in prinft with trailing '%'

Documentation entry for user-facing changes

  • Documentation is written (mandatory for new features)

@clickhouse-gh
Copy link
Copy Markdown
Contributor

clickhouse-gh Bot commented Apr 11, 2026
edited by Algunenano
Loading

Workflow [PR], commit [ed87fe3]

Summary:

job_name test_name status info comment
Bugfix validation (functional tests) failure
04094_printf_trailing_percent FAIL cidb IGNORED

AI Review

Summary

This PR updates contrib/fmtlib to ClickHouse/fmt commit 4d9c4a8 (fixing an out-of-bounds read in vprintf for trailing %) and adds stateless regression coverage in 04094_printf_trailing_percent for trailing/escaped % in both constant and materialized format paths. The change is narrowly scoped, includes adversarial boundary cases for the reported issue, and I did not find correctness, safety, or rollout blockers.

ClickHouse Rules
Item Status Notes
Deletion logging
Serialization versioning
Core-area scrutiny
No test removal
Experimental gate
No magic constants
Backward compatibility
SettingsChangesHistory.cpp
PR metadata quality
Safe rollout
Compilation time
No large/binary files
Final Verdict
  • Status: ✅ Approve

@clickhouse-gh clickhouse-gh Bot added pr-bugfix Pull request with bugfix, not backported by default submodule changed At least one submodule changed in this PR. labels Apr 11, 2026
@alexey-milovidov alexey-milovidov changed the title Fix out of bounds read in prinft with trailing '%' Fix out of bounds read in printf with trailing '%' Apr 12, 2026
@alexey-milovidov alexey-milovidov self-assigned this Apr 12, 2026
@Algunenano Algunenano added this pull request to the merge queue Apr 12, 2026
@alexey-milovidov
Copy link
Copy Markdown
Member

alexey-milovidov commented Apr 12, 2026

@Algunenano, please check this: #97014
So you will not have to ignore the bugfix check.

Merged via the queue into ClickHouse:master with commit 2fde84c Apr 12, 2026
162 of 164 checks passed
@Algunenano Algunenano deleted the fmt_oob branch April 12, 2026 18:09
@clickgapai
Copy link
Copy Markdown
Contributor

clickgapai commented Apr 12, 2026

Hi — this PR may need backporting to 25.3, 25.2, 24.8, 24.12, but no backport label was found.

Why: Fixes an out-of-bounds read (MSan finding) in printf that can be triggered by any user query with a trailing percent in the format string. Safe submodule-only change suitable for backport.

Other supported branches (26.3, 26.2, 26.1, 25.8) are not affected — the changed code does not exist there.

If this should be backported, consider adding pr-must-backport or a version-specific label (e.g. v25.3-must-backport). Ignore this if backporting is not applicable.

@robot-ch-test-poll robot-ch-test-poll added the pr-synced-to-cloud The PR is synced to the cloud repo label Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alexey-milovidov alexey-milovidov alexey-milovidov approved these changes

Assignees

@alexey-milovidov alexey-milovidov

Labels

pr-bugfix Pull request with bugfix, not backported by default pr-synced-to-cloud The PR is synced to the cloud repo submodule changed At least one submodule changed in this PR.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Algunenano @alexey-milovidov @clickgapai @robot-ch-test-poll