This is the mail archive of the cygwin-patches mailing list for the Cygwin project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] cygwin: fix potential buffer overflow in small_sprintf

From: Michael Haubenwallner <michael dot haubenwallner at ssi-schaefer dot com>
To: cygwin-patches at cygwin dot com
Cc: Michael Haubenwallner <michael dot haubenwallner at ssi-schaefer dot com>
Date: Mon, 9 Oct 2017 18:57:58 +0200
Subject: [PATCH] cygwin: fix potential buffer overflow in small_sprintf
Authentication-results: sourceware.org; auth=none

With "%C" format string, argument may convert in up to MB_LEN_MAX bytes.
Relying on sys_wcstombs to add a trailing zero here requires us to
provide a large enough buffer.

* smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
---
 winsup/cygwin/smallprint.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
index 3cec31cce..8553f7002 100644
--- a/winsup/cygwin/smallprint.cc
+++ b/winsup/cygwin/smallprint.cc
@@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
 		case 'C':
 		  {
 		    WCHAR wc = (WCHAR) va_arg (ap, int);
-		    char buf[4], *c;
-		    sys_wcstombs (buf, 4, &wc, 1);
+		    char buf[MB_LEN_MAX+1] = "", *c;
+		    sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
 		    for (c = buf; *c; ++c)
 		      *dst++ = *c;
 		  }
-- 
2.14.2

Follow-Ups:
- Re: [PATCH] cygwin: fix potential buffer overflow in small_sprintf
  - From: Corinna Vinschen

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]