[PATCH] cygwin: fix potential buffer overflow in small_sprintf
Michael Haubenwallner
michael.haubenwallner@ssi-schaefer.com
Mon Oct 9 16:58:00 GMT 2017
With "%C" format string, argument may convert in up to MB_LEN_MAX bytes.
Relying on sys_wcstombs to add a trailing zero here requires us to
provide a large enough buffer.
* smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
---
winsup/cygwin/smallprint.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
index 3cec31cce..8553f7002 100644
--- a/winsup/cygwin/smallprint.cc
+++ b/winsup/cygwin/smallprint.cc
@@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
case 'C':
{
WCHAR wc = (WCHAR) va_arg (ap, int);
- char buf[4], *c;
- sys_wcstombs (buf, 4, &wc, 1);
+ char buf[MB_LEN_MAX+1] = "", *c;
+ sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
for (c = buf; *c; ++c)
*dst++ = *c;
}
--
2.14.2
More information about the Cygwin-patches
mailing list