Fix a potential buffer overrun in sqlite3_mprintf() when a non-terminated

string is passed to a "%s" format with a precision specifying the number of bytes to copy. (CVS 5067) FossilOrigin-Name: 1f5b18419bb4e2552ac26593381e2eb866bb67fd
2008-04-29 15:22:27 +00:00 · 2008-04-29 15:22:27 +00:00 · e509094bee
parent 2eaf93d34f
commit e509094bee
3 changed files with 12 additions and 9 deletions
--- a/12
+++ b/12
@ -1,5 +1,5 @@
-C Always\sconvert\sIEEE\sNaN\sinto\sNULL.\s\sTicket\s#3060.\s\sAdd\stest\scases\sto\sverify\nthat\sthis\sis\shappening.\s(CVS\s5066)
-D 2008-04-29T00:15:21
+C Fix\sa\spotential\sbuffer\soverrun\sin\ssqlite3_mprintf()\swhen\sa\snon-terminated\nstring\sis\spassed\sto\sa\s"%s"\sformat\swith\sa\sprecision\sspecifying\sthe\snumber\nof\sbytes\sto\scopy.\s(CVS\s5067)
+D 2008-04-29T15:22:27
 F Makefile.arm-wince-mingw32ce-gcc ac5f7b2cef0cd850d6f755ba6ee4ab961b1fadf7
 F Makefile.in 25b3282a4ac39388632c2fb0e044ff494d490952
 F Makefile.linux-gcc d53183f4aa6a9192d249731c90dbdffbd2c68654
@ -127,7 +127,7 @@ F src/pager.h 45ec2188593afd48a25c743529646771d75e83e4
 F src/parse.y fc4bd35c6088901f7c8daead26c6fb11c87d22e7
 F src/pragma.c 2e4bb2e76e48a32750529fdc4bfe86ac5f54e01b
 F src/prepare.c adc7e1fc08dfbab63cd213d4c0aff8f3fa70d477
-F src/printf.c 2d9bac813d1319babf3c6e925cf7ec5be1281c94
+F src/printf.c 77c192ccc81117d68b21b449cd33396357aa266d
 F src/random.c 2b2db2de4ab491f5a14d3480466f8f4b5a5db74a
 F src/select.c b02ee16591f0194739e7deb12099d3e98e60b7f3
 F src/server.c 087b92a39d883e3fa113cae259d64e4c7438bc96
@ -633,7 +633,7 @@ F www/tclsqlite.tcl 8be95ee6dba05eabcd27a9d91331c803f2ce2130
 F www/vdbe.tcl 87a31ace769f20d3627a64fa1fade7fed47b90d0
 F www/version3.tcl 890248cf7b70e60c383b0e84d77d5132b3ead42b
 F www/whentouse.tcl fc46eae081251c3c181bd79c5faef8195d7991a5
-P e6f71abb22fb74e5910d817caec98fa44070fc5f
-R e524df0bf8a8555789b9eeb5782f38f2
+P 9b07e59e510e2de39c2081653662fbc654ca6fbb
+R 5793178ea6130e42720ac3eacd25bef7
 U drh
-Z e4a613f256396e3f19a950003ad91fee
+Z 662aa440bf0ad4382085d54e6e7f7798
--- a/manifest.uuid
+++ b/manifest.uuid
@ -1 +1 @@
-9b07e59e510e2de39c2081653662fbc654ca6fbb
+1f5b18419bb4e2552ac26593381e2eb866bb67fd
--- a/src/printf.c
+++ b/src/printf.c
@ -627,8 +627,11 @@ static void vxprintf(
        }else if( xtype==etDYNSTRING ){
          zExtra = bufpt;
        }
-        length = strlen(bufpt);
-        if( precision>=0 && precision<length ) length = precision;
+        if( precision>=0 ){
+          for(length=0; length<precision && bufpt[length]; length++){}
+        }else{
+          length = strlen(bufpt);
+        }
        break;
      case etSQLESCAPE:
      case etSQLESCAPE2: