Closed Bug 162786 Opened 22 years ago Closed 21 years ago

PR_snprintf returns wrong string length

Categories

(NSPR :: NSPR, defect)

defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: warrensomebody, Assigned: wtc)

Details

PR_snprintf can return the wrong print length in the case where the buffer
overflows:

char buf[5];
size_t len = PR_snprintf(buf, sizeof(buf), "too_many_characters");

=>

buf = "too_\0"
len = 3

(buf is correct, but should be len = 4)

because, in:

 C:\checkout\third_party\mozilla\nsprpub\pr\src\io\prprf.c(1166):
PR_IMPLEMENT(PRUint32) PR_snprintf(char *out, PRUint32 outlen, const char
*fmt, ...)

in the code fragment:

    /* If we added chars, and we didn't append a null, do it now. */
    if( (ss.cur != ss.base) && (*(ss.cur - 1) != '\0') )
        *(--ss.cur) = '\0';

the --ss.cur should be ss.cur - 1

When there's no buffer overflow, ss.cur will point 1
char past the terminating NUL, but if there is an overflow, it will point at
the terminating NUL.  So the return value, which is 1 less than the
difference between ss.cur and the beginning of the buffer, will be 1 too
small in the overflow case.

Jonathan Tash (tash@kontiki.com)
Neither can it return -1, as documented in prprf.h :-/
The change that Jonathan Tash proposed is correct. r=wtc.

I checked it in on the NSPR tip (NSPR 4.6) and
NSPRPUB_PRE_4_2_CLIENT_BRANCH (Mozilla 1.8 alpha).
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Target Milestone: --- → 4.6
You need to log in before you can comment on or make changes to this bug.