Jelajahi Sumber

LibC: Stop stdio from adding null terminators out of bounds (#685)

When using the bounded string operations (e.g. snprintf), the null
terminator was always being written even if there was no space for
it (or indeed any valid buffer at all)

This overwriting caused segmentation faults and memory corruption
Vincent Sanders 5 tahun lalu
induk
melakukan
1be4c6e9cf
1 mengubah file dengan 3 tambahan dan 3 penghapusan
  1. 3 3
      Libraries/LibC/stdio.cpp

+ 3 - 3
Libraries/LibC/stdio.cpp

@@ -395,7 +395,6 @@ int sprintf(char* buffer, const char* fmt, ...)
     va_list ap;
     va_list ap;
     va_start(ap, fmt);
     va_start(ap, fmt);
     int ret = vsprintf(buffer, fmt, ap);
     int ret = vsprintf(buffer, fmt, ap);
-    buffer[ret] = '\0';
     va_end(ap);
     va_end(ap);
     return ret;
     return ret;
 }
 }
@@ -413,7 +412,9 @@ int vsnprintf(char* buffer, size_t size, const char* fmt, va_list ap)
 {
 {
     __vsnprintf_space_remaining = size;
     __vsnprintf_space_remaining = size;
     int ret = printf_internal(sized_buffer_putch, buffer, fmt, ap);
     int ret = printf_internal(sized_buffer_putch, buffer, fmt, ap);
-    buffer[ret] = '\0';
+    if (__vsnprintf_space_remaining) {
+	    buffer[ret] = '\0';
+    }
     return ret;
     return ret;
 }
 }
 
 
@@ -422,7 +423,6 @@ int snprintf(char* buffer, size_t size, const char* fmt, ...)
     va_list ap;
     va_list ap;
     va_start(ap, fmt);
     va_start(ap, fmt);
     int ret = vsnprintf(buffer, size, fmt, ap);
     int ret = vsnprintf(buffer, size, fmt, ap);
-    buffer[ret] = '\0';
     va_end(ap);
     va_end(ap);
     return ret;
     return ret;
 }
 }