Buffer overflow within snprintf() and vsnprintf() functions

Following code for appending string to the buffer using snprintf family of function may cause buffer overflow:
```c
offset += snprintf(buffer + offset, MAX_STR_LEN - offset, "string");
offset += snprintf(buffer + offset, MAX_STR_LEN - offset, "string2");
```
The second argument of snprintf is size_t, it means that if `offset > MAX_STR_LEN`, then `MAX_STR_LEN - offset` will underflow and `snprintf()` will write outside of the buffer creating a buffer overflow. This is because `snprintf()` and `vsnprintf()` does not return the number of characters written, but If the number of characters which would have been written to the final string if enough space had been available.

It is used in `print.c` and `output.c`.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Buffer overflow within snprintf() and vsnprintf() functions #2

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Buffer overflow within snprintf() and vsnprintf() functions #2

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions