1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
Fix for CVE-2014-1545
Upstream-Status: Backport
Backported from nspr-4.10.6.tar.gz.
---
--- a/pr/src/io/prprf.c
+++ b/pr/src/io/prprf.c
@@ -50,6 +50,10 @@
#include "prlog.h"
#include "prmem.h"
+#ifdef _MSC_VER
+#define snprintf _snprintf
+#endif
+
/*
** WARNING: This code may *NOT* call PR_LOG (because PR_LOG calls it)
*/
@@ -330,7 +334,7 @@
** Convert a double precision floating point number into its printable
** form.
**
-** XXX stop using sprintf to convert floating point
+** XXX stop using snprintf to convert floating point
*/
static int cvt_f(SprintfState *ss, double d, const char *fmt0, const char *fmt1)
{
@@ -338,15 +342,14 @@
char fout[300];
int amount = fmt1 - fmt0;
- PR_ASSERT((amount > 0) && (amount < sizeof(fin)));
- if (amount >= sizeof(fin)) {
- /* Totally bogus % command to sprintf. Just ignore it */
+ if (amount <= 0 || amount >= sizeof(fin)) {
+ /* Totally bogus % command to snprintf. Just ignore it */
return 0;
}
memcpy(fin, fmt0, amount);
fin[amount] = 0;
- /* Convert floating point using the native sprintf code */
+ /* Convert floating point using the native snprintf code */
#ifdef DEBUG
{
const char *p = fin;
@@ -356,14 +359,11 @@
}
}
#endif
- sprintf(fout, fin, d);
-
- /*
- ** This assert will catch overflow's of fout, when building with
- ** debugging on. At least this way we can track down the evil piece
- ** of calling code and fix it!
- */
- PR_ASSERT(strlen(fout) < sizeof(fout));
+ memset(fout, 0, sizeof(fout));
+ snprintf(fout, sizeof(fout), fin, d);
+ /* Explicitly null-terminate fout because on Windows snprintf doesn't
+ * append a null-terminator if the buffer is too small. */
+ fout[sizeof(fout) - 1] = '\0';
return (*ss->stuff)(ss, fout, strlen(fout));
}
|
