[PATCH] Fix buffer overflow caused by printf implementation not subtracting space used from space available.
ak.miller at auckland.ac.nz
Tue May 31 21:17:23 CDT 2011
Fixing Bug 27348. I wrote a simple test program that works on Windows
but crashes on Wine without this patch (and works on Wine with this
patch applied); the program is given as an attachment on the Bugzilla at
dlls/msvcrt/printf.h | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/dlls/msvcrt/printf.h b/dlls/msvcrt/printf.h
index a69e8f8..eefecd1 100644
@@ -56,6 +56,7 @@ static int FUNC_NAME(puts_clbk_str)(void *ctx, int
len, const APICHAR *str)
memcpy(out->buf, str, len*sizeof(APICHAR));
out->buf += len;
+ out->len -= len;
Please note: I don't have time to follow this patch through the process
or make any further changes that may be required - I would greatly
appreciate it if someone else could adopt the patch. I won't be on the
wine-patches e-mail list for very long, so please keep me CCd if you
want to contact me.
This bug causes a crash with libxml2 programs on Wine if libxml2 has to
produce an error message (which uses _vsnprintf) and so could
potentially be affecting a number of programs.
More information about the wine-patches