emacs-diffs
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

master 0ed913cf46a 2/5: Fix buffer overflows in doprnt (bug#75900)

From: Paul Eggert
Subject: master 0ed913cf46a 2/5: Fix buffer overflows in doprnt (bug#75900)
Date: Mon, 27 Jan 2025 20:16:53 -0500 (EST) 
branch: master
commit 0ed913cf46a8b07a39b065216272a7aa07123282
Author: Pip Cet <pipcet@protonmail.com>
Commit: Paul Eggert <eggert@cs.ucla.edu>

    Fix buffer overflows in doprnt (bug#75900)
    
    * src/doprnt.c (doprnt): Clear rest of buffer on multibyte overflow.
    Always decrement bufsize when writing a byte.
---
 src/doprnt.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/doprnt.c b/src/doprnt.c
index 421c4f4d15f..d8403bedbe4 100644
--- a/src/doprnt.c
+++ b/src/doprnt.c
@@ -447,7 +447,8 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
                  while (tem != 0);
 
                  memcpy (bufptr, string, tem);
-                 bufptr[tem] = 0;
+                 while (tem < bufsize)
+                   bufptr[tem++] = 0;
                  /* Trigger exit from the loop, but make sure we
                     return to the caller a value which will indicate
                     that the buffer was too small.  */
@@ -499,6 +500,7 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
            fmtchar = '\'';
 
          *bufptr++ = fmtchar;
+         bufsize--;
          continue;
        }
       else
@@ -524,7 +526,10 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char 
*format,
       else
        {
          do
-           *bufptr++ = *src++;
+           {
+             *bufptr++ = *src++;
+             bufsize--;
+           }
          while (--srclen != 0);
        }
     }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]