Buffer overflow in vsnprintf
GoogleCodeExporter opened this issue · comments
Google Code Exporter commented
Reported by Kirill:
vsnprintf() can overrun a buffer when writing the end nul character.
The following was proposed:
--- snprintf.c.orig 2013-09-20 17:30:51.000000000 +0400
+++ snprintf.c 2013-10-22 18:42:24.984254461 +0400
@@ -110,9 +110,12 @@
struct nbuf nbuf = { buf, n };
done = format( bufnwrite, (void *)&nbuf, fmt, ap );
- if ( 0 <= done )
- buf[done] = '\0';
-
+ if ( 0 <= done ) {
+ if (done>=n) { /* overflow */
+ if (n!=0) buf[n-1]=0;
+ }
+ else buf[done] = '\0';
+ }
return done;
}
Original issue reported on code.google.com by neil.johnson71
on 22 Oct 2013 at 3:15
Google Code Exporter commented
Original comment by neil.johnson71
on 23 Oct 2013 at 1:43
- Changed state: Started
Google Code Exporter commented
Fix checked in.
Original comment by neil.johnson71
on 17 Mar 2014 at 2:34
- Changed state: Fixed