Currently, calls to [v]slprintf that have a string format (%s, %v,
%q) with a maximum length specified (e.g. %.20s) do a strlen() on
the string, and can therefore access memory beyond the maximum
length specified. If the string is not null-terminated, this could
result in an out-of-bounds read.
This makes vslprintf use strnlen() in cases where a maximum length
has been specified, so that we don't access the string beyond the
maximum length that was given.
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
if (fillch == '0' && prec >= 0) {
n = prec;
} else {
if (fillch == '0' && prec >= 0) {
n = prec;
} else {
- n = strlen((char *)p);
- if (prec >= 0 && n > prec)
- n = prec;
+ if (prec == -1)
+ n = strlen((char *)p);
+ else
+ n = strnlen((char *)p, prec);
}
while (n > 0 && buflen > 0) {
c = *p++;
}
while (n > 0 && buflen > 0) {
c = *p++;
}
len = num + sizeof(num) - 1 - str;
} else {
}
len = num + sizeof(num) - 1 - str;
} else {
- len = strlen(str);
- if (prec >= 0 && len > prec)
- len = prec;
+ if (prec == -1)
+ len = strlen(str);
+ else
+ len = strnlen(str, prec);
}
if (width > 0) {
if (width > buflen)
}
if (width > 0) {
if (width > buflen)