This is the mail archive of the
cygwin-patches
mailing list for the Cygwin project.
[PATCH] cygwin: fix potential buffer overflow in small_sprintf
- From: Michael Haubenwallner <michael dot haubenwallner at ssi-schaefer dot com>
- To: cygwin-patches at cygwin dot com
- Cc: Michael Haubenwallner <michael dot haubenwallner at ssi-schaefer dot com>
- Date: Mon, 9 Oct 2017 18:57:58 +0200
- Subject: [PATCH] cygwin: fix potential buffer overflow in small_sprintf
- Authentication-results: sourceware.org; auth=none
With "%C" format string, argument may convert in up to MB_LEN_MAX bytes.
Relying on sys_wcstombs to add a trailing zero here requires us to
provide a large enough buffer.
* smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
---
winsup/cygwin/smallprint.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
index 3cec31cce..8553f7002 100644
--- a/winsup/cygwin/smallprint.cc
+++ b/winsup/cygwin/smallprint.cc
@@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
case 'C':
{
WCHAR wc = (WCHAR) va_arg (ap, int);
- char buf[4], *c;
- sys_wcstombs (buf, 4, &wc, 1);
+ char buf[MB_LEN_MAX+1] = "", *c;
+ sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
for (c = buf; *c; ++c)
*dst++ = *c;
}
--
2.14.2