[eggheads-patches] PATCH: s_sprintf.patch

Peter 'Rattacresh' Backes rtc at rhrk.uni-kl.de
Wed Oct 6 15:39:24 CST 1999


simple_sprintf (buffer, "%s", (string with length > 1024-byte)) 
caused buffer overrun, sometimes SEGV if length was very big.


-- Peter 'Rattacresh' Backes, rtc at rhrk.uni-kl.de

-------------- next part --------------
diff -urN eggdrop1.3.29/doc/UPDATES1.3 eggdrop1.3.29+s_sprintf/doc/UPDATES1.3
--- eggdrop1.3.29/doc/UPDATES1.3	Wed Oct  6 21:08:59 1999
+++ eggdrop1.3.29+s_sprintf/doc/UPDATES1.3	Wed Oct  6 21:07:33 1999
@@ -4,6 +4,7 @@
 
 1.3.29
 Foundby   Fixedby   What....
+          rtc       fixed buffer overrun in simple_sprintf.
 	  arthur2   duplicate entries removed from core.english.lang.
 Beige	  Fabian    killsock() could accidently free unused socket entries
           Tothwolf/ fixed way we get version number for Tcl_PkgProvide()
diff -urN eggdrop1.3.29/src/botmsg.c eggdrop1.3.29+s_sprintf/src/botmsg.c
--- eggdrop1.3.29/src/botmsg.c	Wed Oct  6 21:08:59 1999
+++ eggdrop1.3.29+s_sprintf/src/botmsg.c	Wed Oct  6 21:03:32 1999
@@ -139,22 +139,18 @@
       switch (*format) {
       case 's':
 	s = va_arg(va, char *);
-
 	break;
       case 'd':
       case 'i':
 	i = va_arg(va, int);
-
 	s = int_to_base10(i);
 	break;
       case 'D':
 	i = va_arg(va, int);
-
 	s = int_to_base64((unsigned int) i);
 	break;
       case 'u':
 	i = va_arg(va, unsigned int);
-
         s = unsigned_int_to_base10(i);
 	break;
       case '%':
@@ -162,14 +158,13 @@
 	continue;
       case 'c':
 	buf[c++] = (char) va_arg(va, int);
-
 	format++;
 	continue;
       default:
 	continue;
       }
       if (s)
-	while (*s)
+	while (*s && (c < 1023))
 	  buf[c++] = *s++;
       format++;
     } else


More information about the Patches mailing list