cygwin: fix potential buffer overflow in small_sprintf

With "%C" format string, argument may convert in up to MB_LEN_MAX bytes. Relying on sys_wcstombs to add a trailing zero here requires us to provide a large enough buffer. * smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C".
author: Michael Haubenwallner <michael.haubenwallner@ssi-schaefer.com> 2017-10-09 18:57:58 +0200
committer: Corinna Vinschen <corinna@vinschen.de> 2017-10-10 13:35:16 +0200
commit: 44499712954d7450262da9db4ee4219e40b1aaac (patch)
tree: 6dd210e9db9ad70a40b12942679138265acc0bba
parent: 111b6813fb967a4bae51dc43d574c0c28d4dea6c (diff)
download: cygnal-44499712954d7450262da9db4ee4219e40b1aaac.tar.gz
cygnal-44499712954d7450262da9db4ee4219e40b1aaac.tar.bz2
cygnal-44499712954d7450262da9db4ee4219e40b1aaac.zip
1 files changed, 2 insertions, 2 deletions
diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc
index 3cec31cce..8553f7002 100644
--- a/winsup/cygwin/smallprint.cc
+++ b/winsup/cygwin/smallprint.cc
@@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap)
 		case 'C':
 		  {
 		    WCHAR wc = (WCHAR) va_arg (ap, int);
-		    char buf[4], *c;
-		    sys_wcstombs (buf, 4, &wc, 1);
+		    char buf[MB_LEN_MAX+1] = "", *c;
+		    sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1);
 		    for (c = buf; *c; ++c)
 		      *dst++ = *c;
 		  }
author	Michael Haubenwallner <michael.haubenwallner@ssi-schaefer.com>	2017-10-09 18:57:58 +0200
committer	Corinna Vinschen <corinna@vinschen.de>	2017-10-10 13:35:16 +0200
commit	44499712954d7450262da9db4ee4219e40b1aaac (patch)
tree	6dd210e9db9ad70a40b12942679138265acc0bba
parent	111b6813fb967a4bae51dc43d574c0c28d4dea6c (diff)
download	cygnal-44499712954d7450262da9db4ee4219e40b1aaac.tar.gz cygnal-44499712954d7450262da9db4ee4219e40b1aaac.tar.bz2 cygnal-44499712954d7450262da9db4ee4219e40b1aaac.zip