| Issue 6: | Buffer overflow in vsnprintf | |
| 1 person starred this issue and may be notified of changes. | Back to list |
Reported by Kirill:
vsnprintf() can overrun a buffer when writing the end nul character.
The following was proposed:
--- snprintf.c.orig 2013-09-20 17:30:51.000000000 +0400
+++ snprintf.c 2013-10-22 18:42:24.984254461 +0400
@@ -110,9 +110,12 @@
struct nbuf nbuf = { buf, n };
done = format( bufnwrite, (void *)&nbuf, fmt, ap );
- if ( 0 <= done )
- buf[done] = '\0';
-
+ if ( 0 <= done ) {
+ if (done>=n) { /* overflow */
+ if (n!=0) buf[n-1]=0;
+ }
+ else buf[done] = '\0';
+ }
return done;
}
Oct 23, 2013
Project Member
#1
neil.johnson71
Status:
Started
Mar 17, 2014
Fix checked in.
Status:
Fixed
|