[PATCH] cygwin: fix potential buffer overflow in small_sprintf
Corinna Vinschen
corinna-cygwin@cygwin.com
Tue Oct 10 11:48:00 GMT 2017
On Oct 9 18:57, Michael Haubenwallner wrote:
> With "%C" format string, argument may convert in up to MB_LEN_MAX bytes.
> Relying on sys_wcstombs to add a trailing zero here requires us to
> provide a large enough buffer.
>
> * smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
> ---
> winsup/cygwin/smallprint.cc | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
> index 3cec31cce..8553f7002 100644
> --- a/winsup/cygwin/smallprint.cc
> +++ b/winsup/cygwin/smallprint.cc
> @@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
> case 'C':
> {
> WCHAR wc = (WCHAR) va_arg (ap, int);
> - char buf[4], *c;
> - sys_wcstombs (buf, 4, &wc, 1);
> + char buf[MB_LEN_MAX+1] = "", *c;
> + sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
> for (c = buf; *c; ++c)
> *dst++ = *c;
> }
> --
> 2.14.2
Pushed.
Thanks,
Corinna
--
Corinna Vinschen Please, send mails regarding Cygwin to
Cygwin Maintainer cygwin AT cygwin DOT com
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://cygwin.com/pipermail/cygwin-patches/attachments/20171010/5eccd927/attachment.sig>
More information about the Cygwin-patches
mailing list