My favorites | Sign in
Project Home Wiki Issues Source
READ-ONLY: This project has been archived. For more information see this post.
Search
for
  Advanced search   Search tips   Subscriptions
Issue 6: Buffer overflow in vsnprintf
1 person starred this issue and may be notified of changes. Back to list
Status:  Fixed
Owner:  neil.johnson71
Closed:  Mar 2014


 
Project Member Reported by neil.johnson71, Oct 22, 2013
Reported by Kirill:

vsnprintf() can overrun a buffer when writing the end nul character.
The following was proposed:

--- snprintf.c.orig     2013-09-20 17:30:51.000000000 +0400
+++ snprintf.c  2013-10-22 18:42:24.984254461 +0400
@@ -110,9 +110,12 @@
     struct nbuf nbuf = { buf, n };

     done = format( bufnwrite, (void *)&nbuf, fmt, ap );
-    if ( 0 <= done )
-        buf[done] = '\0';
-
+    if ( 0 <= done ) {
+        if (done>=n) { /* overflow */
+                if (n!=0) buf[n-1]=0;
+        }
+        else buf[done] = '\0';
+    }
     return done;
 }


Oct 23, 2013
Project Member #1 neil.johnson71
(No comment was entered for this change.)
Status: Started
Mar 17, 2014
Project Member #2 neil.johnson71
Fix checked in.
Status: Fixed

Powered by Google Project Hosting