Closed
Bug 162786
Opened 21 years ago
Closed 20 years ago
PR_snprintf returns wrong string length
Categories
(NSPR :: NSPR, defect)
NSPR
NSPR
Tracking
(Not tracked)
RESOLVED
FIXED
4.6
People
(Reporter: warrensomebody, Assigned: wtc)
Details
PR_snprintf can return the wrong print length in the case where the buffer
overflows:
char buf[5];
size_t len = PR_snprintf(buf, sizeof(buf), "too_many_characters");
=>
buf = "too_\0"
len = 3
(buf is correct, but should be len = 4)
because, in:
C:\checkout\third_party\mozilla\nsprpub\pr\src\io\prprf.c(1166):
PR_IMPLEMENT(PRUint32) PR_snprintf(char *out, PRUint32 outlen, const char
*fmt, ...)
in the code fragment:
/* If we added chars, and we didn't append a null, do it now. */
if( (ss.cur != ss.base) && (*(ss.cur - 1) != '\0') )
*(--ss.cur) = '\0';
the --ss.cur should be ss.cur - 1
When there's no buffer overflow, ss.cur will point 1
char past the terminating NUL, but if there is an overflow, it will point at
the terminating NUL. So the return value, which is 1 less than the
difference between ss.cur and the beginning of the buffer, will be 1 too
small in the overflow case.
Jonathan Tash (tash@kontiki.com)
|
||
Comment 1•20 years ago
|
||
Neither can it return -1, as documented in prprf.h :-/
|
Assignee | |
Comment 2•20 years ago
|
||
The change that Jonathan Tash proposed is correct. r=wtc. I checked it in on the NSPR tip (NSPR 4.6) and NSPRPUB_PRE_4_2_CLIENT_BRANCH (Mozilla 1.8 alpha).
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.6
You need to log in
before you can comment on or make changes to this bug.
Description
•