system/Error: truncate the snprintf() return value

snprintf() does not return the (truncated) length actually written, but the length that would be needed if the buffer were large enough. This API usage mistake in FormatLastError() can lead to overflow of the stack buffer, crashing the process (Windows only). Closes https://github.com/MusicPlayerDaemon/MPD/issues/1676

system/Error: truncate the snprintf() return value
73b5d0a9 · Max Kellermann · c2d0f35e · 73b5d0a9 · 73b5d0a9
Commit 73b5d0a9 authored Nov 28, 2022 by Max Kellermann
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

NEWS NEWS +2 -0

Error.hxx src/system/Error.hxx +4 -1

No files found.
--- a/NEWS
+++ b/NEWS
 ver 0.23.11 (not yet released)
 * macOS: fix build failure "no archive members specified"
+* Windows
+  - fix crash bug (stack buffer overflow) after I/O errors
 * Android/Windows
  - update OpenSSL to 3.0.7


--- a/src/system/Error.hxx
+++ b/src/system/Error.hxx
@@ -70,8 +70,11 @@ FormatLastError(DWORD code, const char *fmt, Args&&... args) noexcept
 {
 	char buffer[512];
 	const auto end = buffer + sizeof(buffer);
-	size_t length = snprintf(buffer, sizeof(buffer) - 128,
+	constexpr std::size_t max_prefix = sizeof(buffer) - 128;
+	size_t length = snprintf(buffer, max_prefix,
 				 fmt, std::forward<Args>(args)...);
+	if (length >= max_prefix)
+		length = max_prefix - 1;
 	char *p = buffer + length;
 	*p++ = ':';
 	*p++ = ' ';