This is the mail archive of the cygwin-patches mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] cygwin: fix potential buffer overflow in small_sprintf


On Oct  9 18:57, Michael Haubenwallner wrote:
> With "%C" format string, argument may convert in up to MB_LEN_MAX bytes.
> Relying on sys_wcstombs to add a trailing zero here requires us to
> provide a large enough buffer.
> 
> * smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
> ---
>  winsup/cygwin/smallprint.cc | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
> index 3cec31cce..8553f7002 100644
> --- a/winsup/cygwin/smallprint.cc
> +++ b/winsup/cygwin/smallprint.cc
> @@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
>  		case 'C':
>  		  {
>  		    WCHAR wc = (WCHAR) va_arg (ap, int);
> -		    char buf[4], *c;
> -		    sys_wcstombs (buf, 4, &wc, 1);
> +		    char buf[MB_LEN_MAX+1] = "", *c;
> +		    sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
>  		    for (c = buf; *c; ++c)
>  		      *dst++ = *c;
>  		  }
> -- 
> 2.14.2

Pushed.


Thanks,
Corinna

-- 
Corinna Vinschen                  Please, send mails regarding Cygwin to
Cygwin Maintainer                 cygwin AT cygwin DOT com
Red Hat

Attachment: signature.asc
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]