Closed Bug 162786 Opened 22 years ago Closed 21 years ago

PR_snprintf returns wrong string length

Categories

(NSPR :: NSPR, defect)

Product:
NSPR
Component:
NSPR
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: warrensomebody, Assigned: wtc)

Details

PR_snprintf can return the wrong print length in the case where the buffer overflows: char buf[5]; size_t len = PR_snprintf(buf, sizeof(buf), "too_many_characters"); => buf = "too_\0" len = 3 (buf is correct, but should be len = 4) because, in: C:\checkout\third_party\mozilla\nsprpub\pr\src\io\prprf.c(1166): PR_IMPLEMENT(PRUint32) PR_snprintf(char *out, PRUint32 outlen, const char *fmt, ...) in the code fragment: /* If we added chars, and we didn't append a null, do it now. */ if( (ss.cur != ss.base) && (*(ss.cur - 1) != '\0') ) *(--ss.cur) = '\0'; the --ss.cur should be ss.cur - 1 When there's no buffer overflow, ss.cur will point 1 char past the terminating NUL, but if there is an overflow, it will point at the terminating NUL. So the return value, which is 1 less than the difference between ss.cur and the beginning of the buffer, will be 1 too small in the overflow case. Jonathan Tash (tash@kontiki.com)
Neither can it return -1, as documented in prprf.h :-/
The change that Jonathan Tash proposed is correct. r=wtc. I checked it in on the NSPR tip (NSPR 4.6) and NSPRPUB_PRE_4_2_CLIENT_BRANCH (Mozilla 1.8 alpha).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.6
You need to log in before you can comment on or make changes to this bug.