Commit 73b5d0a9 authored by Max Kellermann's avatar Max Kellermann

system/Error: truncate the snprintf() return value

snprintf() does not return the (truncated) length actually written, but the length that would be needed if the buffer were large enough. This API usage mistake in FormatLastError() can lead to overflow of the stack buffer, crashing the process (Windows only). Closes https://github.com/MusicPlayerDaemon/MPD/issues/1676
parent c2d0f35e
ver 0.23.11 (not yet released) ver 0.23.11 (not yet released)
* macOS: fix build failure "no archive members specified" * macOS: fix build failure "no archive members specified"
* Windows
- fix crash bug (stack buffer overflow) after I/O errors
* Android/Windows * Android/Windows
- update OpenSSL to 3.0.7 - update OpenSSL to 3.0.7
......
...@@ -70,8 +70,11 @@ FormatLastError(DWORD code, const char *fmt, Args&&... args) noexcept ...@@ -70,8 +70,11 @@ FormatLastError(DWORD code, const char *fmt, Args&&... args) noexcept
{ {
char buffer[512]; char buffer[512];
const auto end = buffer + sizeof(buffer); const auto end = buffer + sizeof(buffer);
size_t length = snprintf(buffer, sizeof(buffer) - 128, constexpr std::size_t max_prefix = sizeof(buffer) - 128;
size_t length = snprintf(buffer, max_prefix,
fmt, std::forward<Args>(args)...); fmt, std::forward<Args>(args)...);
if (length >= max_prefix)
length = max_prefix - 1;
char *p = buffer + length; char *p = buffer + length;
*p++ = ':'; *p++ = ':';
*p++ = ' '; *p++ = ' ';
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment