2024-12-28 07:21:54 +03:00 · 2005-11-19 01:14:05 +00:00 · 2005-11-19 01:14:05 +00:00 · b7dee71f26
commit b7dee71f26
parent 8ce705d9cc
1 changed files with 22 additions and 1 deletions
--- a/source/lib/snprintf.c
+++ b/source/lib/snprintf.c
@ -89,6 +89,12 @@
 *
 *    Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
 *    if the C library has some snprintf functions already.
+ *
+ * Darren Tucker (dtucker@zip.com.au)
+ *    Fix bug allowing read overruns of the source string with "%.*s"
+ *    Usually harmless unless the read runs outside the process' allocation
+ *    (eg if your malloc does guard pages) in which case it will segfault.
+ *    From OpenSSH.  Also added test for same.
 **************************************************************/

 #ifndef NO_CONFIG_H
@ -479,7 +485,7 @@ static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 		value = "<NULL>";
 	}

-	for (strln = 0; value[strln]; ++strln); /* strlen */
+	for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
 	padlen = min - strln;
 	if (padlen < 0) 
 		padlen = 0;
@ -892,6 +898,7 @@ int smb_snprintf(char *str,size_t count,const char *fmt,...)
 {
 	char buf1[1024];
 	char buf2[1024];
+	char *buf3;
 	char *fp_fmt[] = {
 		"%1.1f",
 		"%-1.5f",
@ -1001,6 +1008,20 @@ int smb_snprintf(char *str,size_t count,const char *fmt,...)
 		}
 	}

+#define BUFSZ 2048
+
+	if ((buf3 = malloc(BUFSZ)) == NULL) {
+		fail++;
+	} else {
+		num++;
+		memset(buf3, 'a', BUFSZ);
+		snprintf(buf1, sizeof(buf1), "%.*s", 1, buf3);
+		if (strcmp(buf1, "a") != 0) {
+			printf("length limit buf1 '%s' expected 'a'\n", buf1);
+			fail++;
+		}
+        }
+
 	printf ("%d tests failed out of %d.\n", fail, num);

 	printf("seeing how many digits we support\n");