Buffer overflow in vsnprintf

Question

Buffer overflow in vsnprintf

GoogleCodeExporter opened this issue 9 years ago · comments

Google Code Exporter commented 9 years ago

Reported by Kirill:

vsnprintf() can overrun a buffer when writing the end nul character.
The following was proposed:

--- snprintf.c.orig     2013-09-20 17:30:51.000000000 +0400
+++ snprintf.c  2013-10-22 18:42:24.984254461 +0400
@@ -110,9 +110,12 @@
     struct nbuf nbuf = { buf, n };

     done = format( bufnwrite, (void *)&nbuf, fmt, ap );
-    if ( 0 <= done )
-        buf[done] = '\0';
-
+    if ( 0 <= done ) {
+        if (done>=n) { /* overflow */
+                if (n!=0) buf[n-1]=0;
+        }
+        else buf[done] = '\0';
+    }
     return done;
 }

Original issue reported on code.google.com by neil.johnson71 on 22 Oct 2013 at 3:15

Google Code Exporter · Answer 1 · Mon Mar 16 2015 05:12:53 GMT+0800 (China Standard Time)

Original comment by neil.johnson71 on 23 Oct 2013 at 1:43

Changed state: Started

Google Code Exporter · Answer 2 · Mon Mar 16 2015 05:12:54 GMT+0800 (China Standard Time)

Fix checked in.

Original comment by neil.johnson71 on 17 Mar 2014 at 2:34

Changed state: Fixed