niansa-misc/musl
1
0
Fork 0
mirror of git://git.musl-libc.org/musl synced 2025-03-06 20:48:29 +01:00
Code Issues Projects Releases Packages Wiki Activity

fix wide printf numbered argument buffer overflow

Browse source 
The nl_type and nl_arg arrays defined in vfwprintf may be accessed
with an index up to and including NL_ARGMAX, but they are only of size
NL_ARGMAX, meaning they may be written to or read from 1 element too
far.
This commit is contained in:
Gabriel Ravier 2023-04-14 16:55:42 +02:00 committed by Rich Felker
parent c1b42c4a3a
commit 4724793f96
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/stdio/vfwprintf.c
View file

@ -347,8 +347,8 @@ overflow:
int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap) int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
{ {
va_list ap2; va_list ap2;
int nl_type[NL_ARGMAX] = {0}; int nl_type[NL_ARGMAX+1] = {0};
union arg nl_arg[NL_ARGMAX]; union arg nl_arg[NL_ARGMAX+1];
int olderr; int olderr;
int ret; int ret;