OSSP CVS Repository

ossp - Ticket #6
Not logged in
[Honeypot]  [Browse]  [Home]  [Login]  [Reports
[Search]  [Ticket]  [Timeline
  [Attach]  [Edit]  [History

Ticket 6: str_vformat with %.10s specifier can read invalid memory

str_vformat() with a format string of '%.10s' can read undefined memory if the string is not NUL terminated.

I fixed this by changing the following code from around line 857 of str_format.c:

                case 's':
                    s = va_arg(ap, char *);
                    if (s != NULL) {
                        s_len = str_len(s);
                        if (adjust_precision && precision < s_len)
                            s_len = precision;
                    }
                    else {
                        s = S_NULL;
                        s_len = S_NULL_LEN;
                    }
                    pad_char = ' ';
                    break;

to:

                case 's':
                    s = va_arg(ap, char *);
                    if (s != NULL) {
                        const char *p = s;
                        int maxlen = adjust_precision ? precision : INT_MAX;
                        s_len = 0;
                        while (*p++ != 0 && maxlen-- > 0)
                            s_len++;
                        if (adjust_precision && precision < s_len)
                            s_len = precision;
                    }
                    else {
                        s = (char *) S_NULL;
                        s_len = S_NULL_LEN;
                    }
                    pad_char = ' ';
                    break;

(There are probably better fixes.)

Hope that's helpful,

Joseph Heenan

[Append remarks]

Remarks:

2009-Jun-15 13:34:58 by anonymous:
the above code can still give a warning in valgrind; it's best to change the:

while (*p++ != 0 && maxlen-- > 0)

to:

while (maxlen-- > 0 && *p++ != 0)

[Append remarks]

Properties:

Type: code           Version: 0.9.7 
Status: new          Created: 2002-Dec-03 13:58
Severity:          Last Change: 2009-Jun-15 13:34
Priority:          Subsystem: str 
Assigned To: rse           Derived From:  
Creator: anonymous 

CVSTrac 2.0.1