[Zlib-devel] potential overflows by sprintf/vsprintf in gzio.c
Mark Adler
madler at alumni.caltech.edu
Sun Apr 6 14:03:01 EDT 2003
All,
Below is what the security blanket code in gzio.c for gzprintf() looks
like now.
mark
/*
========================================================================
===
Converts, formats, and writes the args to the compressed file under
control of the format string, as in fprintf. gzprintf returns the
number of
uncompressed bytes actually written (0 in case of error).
*/
#ifdef STDC
#include <stdarg.h>
int ZEXPORTVA gzprintf (gzFile file, const char *format, /* args */ ...)
{
char buf[Z_PRINTF_BUFSIZE];
va_list va;
int len;
buf[sizeof(buf) - 1] = 0;
va_start(va, format);
#ifdef NO_vsnprintf
# ifdef HAS_vsprintf_void
(void)vsprintf(buf, format, va);
va_end(va);
for (len = 0; len < sizeof(buf); len++)
if (buf[len] == 0) break;
# else
len = vsprintf(buf, format, va);
va_end(va);
# endif
#else
# ifdef HAS_vsnprintf_void
(void)vsnprintf(buf, sizeof(buf), format, va);
va_end(va);
len = strlen(buf);
# else
len = vsnprintf(buf, sizeof(buf), format, va);
va_end(va);
# endif
#endif
if (len <= 0 || len >= sizeof(buf) || buf[sizeof(buf) - 1] != 0)
return 0;
return gzwrite(file, buf, (unsigned)len);
}
#else /* not ANSI C */
int ZEXPORTVA gzprintf (file, format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10,
a11, a12, a13, a14, a15, a16, a17, a18, a19, a20)
gzFile file;
const char *format;
int a1, a2, a3, a4, a5, a6, a7, a8, a9, a10,
a11, a12, a13, a14, a15, a16, a17, a18, a19, a20;
{
char buf[Z_PRINTF_BUFSIZE];
int len;
buf[sizeof(buf) - 1] = 0;
#ifdef NO_snprintf
# ifdef HAS_sprintf_void
sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
for (len = 0; len < sizeof(buf); len++)
if (buf[len] == 0) break;
# else
len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19,
a20);
# endif
#else
# ifdef HAS_snprintf_void
snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
len = strlen(buf);
# else
len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6,
a7, a8,
a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19,
a20);
# endif
#endif
if (len <= 0 || len >= sizeof(buf) || buf[sizeof(buf) - 1] != 0)
return 0;
return gzwrite(file, buf, len);
}
#endif
More information about the Zlib-devel
mailing list