[Bug 6677] Buffer overflows in the msvcrt *printf family
Wine Bugs
wine-bugs at winehq.org
Mon Nov 13 12:42:08 CST 2006
http://bugs.winehq.org/show_bug.cgi?id=6677
------- Additional Comments From samuel.howard.dennis at gmail.com 2006-13-11 12:42 -------
It does use the dynamic buffer when FieldLength is greater than 40, I wasn't
arguing that it didn't. That's not the buffer it tries to free though.
FieldLength is only set from the formatting string, conversion has no effect on
it and you test before converting anyway.
sprintf(buffer, "%.50d", 1) and sprintf(buffer, "%.50I64d", 1) (into a buffer of
sufficient size to theoretically hold the result) demonstrate the problems quite
well unless you think that this is normal output:
err:seh:setup_exception nested exception on signal stack in thread 001d eip
7efd39f5 esp 7ffddbf0 stack 0x231000-0x340000
The code is, I'm afraid to say, just obviously wrong.
--
Configure bugmail: http://bugs.winehq.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the wine-bugs
mailing list