You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What went wrong: While installing, compilation produces the warnings below
What did you expect to happen? No warning, as used to be the case
Which version of nodejs and OS?
node 8.9.4
OS: Linux 4.13.0-25-generic Random invalid salt #29-Ubuntu SMP Mon Jan 8 21:14:41 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
GCC version: cc (Ubuntu 7.2.0-8ubuntu3) 7.2.0
../src/bcrypt.cc: In function ‘void encode_salt(char*, u_int8_t*, u_int16_t, u_int8_t)’:
../src/bcrypt.cc:132:1: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=]
encode_salt(char *salt, u_int8_t *csalt, u_int16_t clen, u_int8_t logr)
^~~~~~~~~~~
In file included from /usr/include/stdio.h:862:0,
from ../src/bcrypt.cc:48:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:65:44: note: ‘__builtin___snprintf_chk’ output between 4 and 5 bytes into a destination of size 4
__bos (__s), __fmt, __va_arg_pack ());
^
../src/bcrypt.cc: In function ‘void bcrypt(const char*, const char*, char*)’:
../src/bcrypt.cc:165:1: warning: ‘__builtin___snprintf_chk’ output may be truncated before the last format character [-Wformat-truncation=]
bcrypt(const char *key, const char *salt, char *encrypted)
^~~~~~
In file included from /usr/include/stdio.h:862:0,
from ../src/bcrypt.cc:48:
/usr/include/x86_64-linux-gnu/bits/stdio2.h:65:44: note: ‘__builtin___snprintf_chk’ output between 4 and 5 bytes into a destination of size 4
__bos (__s), __fmt, __va_arg_pack ());
Why it happens (AIUI)
The code invokes snprintf(encrypted + i, 4, "%2.2u$", logr); in both encode_salt() and bcrypt().
In both cases, the caller knows that logr <= 31, so the result will look like "xy" so will actually hold in 2 bytes.
However, the compiler only knows that logr is a byte, so can be anything <= 255, hence potentially 3 bytes instead of two, triggering the snprintf() truncation, so it emits the format_truncation warning, which it apparently did not in GCC 6 and lower.
Judging from github search results, multiple packages have been hit by this warning
Fix ideas
Use a wider format, like "%3.3u$". Changes expectations
Disable this warning, maybe using CXXFLAGS="-Wformat-truncation=0", or configuring options in binding.gyp
Make the compiler aware of the fact that logr is less than 0x20, maybe by invoking the function like:
snprintf(salt+4, 4, "%2.2u$", logr&0x20);
The text was updated successfully, but these errors were encountered:
Why it happens (AIUI)
snprintf(encrypted + i, 4, "%2.2u$", logr);
in bothencode_salt()
andbcrypt()
.logr <= 31
, so the result will look like"xy"
so will actually hold in 2 bytes.logr
is a byte, so can be anything<= 255
, hence potentially 3 bytes instead of two, triggering thesnprintf()
truncation, so it emits the format_truncation warning, which it apparently did not in GCC 6 and lower.Fix ideas
CXXFLAGS="-Wformat-truncation=0"
, or configuring options inbinding.gyp
The text was updated successfully, but these errors were encountered: