[Bug 6677] New: Buffer overflows in the msvcrt *printf family

[Wine Bugs]

http://bugs.winehq.org/show_bug.cgi?id=6677

           Summary: Buffer overflows in the msvcrt *printf family
           Product: Wine
           Version: CVS
          Platform: All
        OS/Version: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: wine-msvcrt
        AssignedTo: wine-bugs at winehq.org
        ReportedBy: samuel.howard.dennis at gmail.com


Numeric formats used with a large specified precision or very large floats will
cause buffer overflows in msvcrt.*printf.

There are safeguards of sorts in pf_vsnprintf but they only check the field
width, which is not even relevant for one of the two cases as the 64-bit integer
code uses the (safe) pf_fill function to expand the number.  (Checking
flags.Precision here instead of flags.FieldWidth when deciding whether to
dynamically allocate memory for the representation of the number before padding
and changing the behaviour of pf_integer_conv, which is also unsafe, would
eliminate this buffer overflow.)

The other case is more complicated, as a formatting string is reconstructed and
sent to the system sprintf.  The 40 character buffer allocated (unless a larger
minimum field width is specified) can easily be overrun with large floating
point value converted with the 'f' specifier, for example, or again any value if
the precision given is large.  More advanced calculations or use of snprintf is
required.

Additionally, when extra memory is allocated, pf_vsnprintf uses the pointer to
the static buffer instead of the dynamically allocated one in the HeapFree call.

-- 
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.