This is the mail archive of the
cygwin-cvs@cygwin.com
mailing list for the Cygwin project.
[newlib-cygwin] cygwin: fix potential buffer overflow in small_sprintf
- From: Corinna Vinschen <corinna at sourceware dot org>
- To: cygwin-cvs at sourceware dot org
- Date: 10 Oct 2017 11:48:45 -0000
- Subject: [newlib-cygwin] cygwin: fix potential buffer overflow in small_sprintf
https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=44499712954d7450262da9db4ee4219e40b1aaac
commit 44499712954d7450262da9db4ee4219e40b1aaac
Author: Michael Haubenwallner <michael.haubenwallner@ssi-schaefer.com>
Date: Mon Oct 9 18:57:58 2017 +0200
cygwin: fix potential buffer overflow in small_sprintf
With "%C" format string, argument may convert in up to MB_LEN_MAX bytes.
Relying on sys_wcstombs to add a trailing zero here requires us to
provide a large enough buffer.
* smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
Diff:
---
winsup/cygwin/smallprint.cc | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
index 3cec31c..8553f70 100644
--- a/winsup/cygwin/smallprint.cc
+++ b/winsup/cygwin/smallprint.cc
@@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
case 'C':
{
WCHAR wc = (WCHAR) va_arg (ap, int);
- char buf[4], *c;
- sys_wcstombs (buf, 4, &wc, 1);
+ char buf[MB_LEN_MAX+1] = "", *c;
+ sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
for (c = buf; *c; ++c)
*dst++ = *c;
}