]> git.eshelyaron.com Git - emacs.git/commitdiff
projects / emacs.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e4ae9d2)
Fix buffer overflows in doprnt (bug#75900)
authorPip Cet <pipcet@protonmail.com>
Mon, 27 Jan 2025 21:05:07 +0000 (13:05 -0800)
committerEshel Yaron <me@eshelyaron.com>
Thu, 30 Jan 2025 18:08:48 +0000 (19:08 +0100)
* src/doprnt.c (doprnt): Clear rest of buffer on multibyte overflow.
Always decrement bufsize when writing a byte.

(cherry picked from commit 0ed913cf46a8b07a39b065216272a7aa07123282)

src/doprnt.c patch | blob | history

diff --git a/src/doprnt.c b/src/doprnt.c
index 421c4f4d15f095257206f4ae09b16796156a9137..d8403bedbe43a7e6807befd365a53f7a171a3873 100644 (file)
--- a/src/doprnt.c
+++ b/src/doprnt.c
@@ -447,7 +447,8 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
                  while (tem != 0);
 
                  memcpy (bufptr, string, tem);
-                 bufptr[tem] = 0;
+                 while (tem < bufsize)
+                   bufptr[tem++] = 0;
                  /* Trigger exit from the loop, but make sure we
                     return to the caller a value which will indicate
                     that the buffer was too small.  */
@@ -499,6 +500,7 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
            fmtchar = '\'';
 
          *bufptr++ = fmtchar;
+         bufsize--;
          continue;
        }
       else
@@ -524,7 +526,10 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
       else
        {
          do
-           *bufptr++ = *src++;
+           {
+             *bufptr++ = *src++;
+             bufsize--;
+           }
          while (--srclen != 0);
        }
     }
Unnamed repository; edit this file 'description' to name the repository.