fix for potential buffer overflow in snprintf() (from OpenBSD)

2003-03-05 01:15:48 +00:00 · 2003-03-05 01:15:48 +00:00 · 4b0ce4e260
parent c93c016461
commit 4b0ce4e260
1 changed files with 8 additions and 8 deletions
--- a/lib/libz/gzio.c
+++ b/lib/libz/gzio.c
@ -1,4 +1,4 @@
-/* $NetBSD: gzio.c,v 1.13 2003/01/28 22:35:02 wiz Exp $ */
+/* $NetBSD: gzio.c,v 1.14 2003/03/05 01:15:48 christos Exp $ */

 /* gzio.c -- IO on .gz files
 * Copyright (C) 1995-2002 Jean-loup Gailly.
@ -7,7 +7,7 @@
 * Compile this file with -DNO_DEFLATE to avoid the compression code.
 */

-/* @(#) $Id: gzio.c,v 1.13 2003/01/28 22:35:02 wiz Exp $ */
+/* @(#) $Id: gzio.c,v 1.14 2003/03/05 01:15:48 christos Exp $ */

 #include <stdio.h>

@ -532,13 +532,13 @@ int ZEXPORTVA gzprintf (gzFile file, const char *format, /* args */ ...)

    va_start(va, format);
 #ifdef HAS_vsnprintf
-    (void)vsnprintf(buf, sizeof(buf), format, va);
+    len = vsnprintf(buf, sizeof(buf), format, va);
 #else
    (void)vsprintf(buf, format, va);
+    len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
 #endif
    va_end(va);
-    len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
-    if (len <= 0) return 0;
+    if (len <= 0 || len >= sizeof(buf)) return 0;

    return gzwrite(file, buf, (unsigned)len);
 }
@ -555,14 +555,14 @@ int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
    int len;

 #ifdef HAS_snprintf
-    snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
 	     a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
 #else
    sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
 	    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#endif
    len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
-    if (len <= 0) return 0;
+#endif
+    if (len <= 0 || len >= sizeof(buf)) return 0;

    return gzwrite(file, buf, len);
 }