[PATCH] Fix buffer overflow caused by printf implementation not subtracting space used from space available.

Andrew Miller ak.miller at auckland.ac.nz
Tue May 31 21:17:23 CDT 2011

Fixing Bug 27348. I wrote a simple test program that works on Windows 
but crashes on Wine without this patch (and works on Wine with this 
patch applied); the program is given as an attachment on the Bugzilla at 
winehq.org (http://bugs.winehq.org/show_bug.cgi?id=27348).

  dlls/msvcrt/printf.h |    1 +
  1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/dlls/msvcrt/printf.h b/dlls/msvcrt/printf.h
index a69e8f8..eefecd1 100644
--- a/dlls/msvcrt/printf.h
+++ b/dlls/msvcrt/printf.h
@@ -56,6 +56,7 @@ static int FUNC_NAME(puts_clbk_str)(void *ctx, int 
len, const APICHAR *str)

      memcpy(out->buf, str, len*sizeof(APICHAR));
      out->buf += len;
+    out->len -= len;
      return len;


Please note: I don't have time to follow this patch through the process 
or make any further changes that may be required - I would greatly 
appreciate it if someone else could adopt the patch. I won't be on the 
wine-patches e-mail list for very long, so please keep me CCd if you 
want to contact me.

This bug causes a crash with libxml2 programs on Wine if libxml2 has to 
produce an error message (which uses _vsnprintf) and so could 
potentially be affecting a number of programs.

Best wishes,

More information about the wine-patches mailing list