OSSP CVS Repository

Ticket 6: str_vformat with %.10s specifier can read invalid memory

str_vformat() with a format string of '%.10s' can read undefined memory if the string is not NUL terminated.

I fixed this by changing the following code from around line 857 of str_format.c:

                case 's':
                    s = va_arg(ap, char *);
                    if (s != NULL) {
                        s_len = str_len(s);
                        if (adjust_precision && precision < s_len)
                            s_len = precision;
                    }
                    else {
                        s = S_NULL;
                        s_len = S_NULL_LEN;
                    }
                    pad_char = ' ';
                    break;

to:

                case 's':
                    s = va_arg(ap, char *);
                    if (s != NULL) {
                        const char *p = s;
                        int maxlen = adjust_precision ? precision : INT_MAX;
                        s_len = 0;
                        while (*p++ != 0 && maxlen-- > 0)
                            s_len++;
                        if (adjust_precision && precision < s_len)
                            s_len = precision;
                    }
                    else {
                        s = (char *) S_NULL;
                        s_len = S_NULL_LEN;
                    }
                    pad_char = ' ';
                    break;

(There are probably better fixes.)

Hope that's helpful,

Joseph Heenan

[Append remarks]

Remarks:

2009-Jun-15 13:34:58 by anonymous:
the above code can still give a warning in valgrind; it's best to change the:

while (*p++ != 0 && maxlen-- > 0)

to:

while (maxlen-- > 0 && *p++ != 0)

[Append remarks]

Properties:

Type:	code		Version:	0.9.7
Status:	new		Created:	2002-Dec-03 13:58
Severity:	3		Last Change:	2009-Jun-15 13:34
Priority:	3		Subsystem:	str
Assigned To:	rse		Derived From:
Creator:	anonymous