We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3531

Summary: internal SDL_vsnprintf implementation access memory outside given buffer ranges
Product: SDL Reporter: Tristan <info>
Component: *don't know*Assignee: Ryan C. Gordon <icculus>
Status: RESOLVED FIXED QA Contact: Sam Lantinga <slouken>
Severity: normal    
Priority: P2    
Version: 2.0.5   
Hardware: All   
OS: Windows 10   

Description Tristan 2016-12-28 20:08:25 UTC
The internal SDL_vsnprintf implementation accesses memory outside buffer. The bug existed also inside the format (%) processing, which was fixed with Bug 3441.

But there is still an invalid access, if we do not have any format inside the source string and the destination string is shorter than the format string. You can use any string for this test, as long it is longer than the buffer.

Example:

va_list argList;
char buffer[4];
SDL_vsnprintf(buffer, sizeof(buffer), "Testing", argList);

The bug is located on the 'else' branch of the format char test:

while (*fmt) {
  if (*fmt == '%') {
    ...
  } else {
    if (left > 1) {
      *text = *fmt;
      --left;
    }
    ++fmt;
    ++text;
  }
}
if (left > 0) {
  *text = '\0';
}

As you can see that text is always incremented, even when left is already one. When then on the last lines, *text is assigned the NULL char, the pointer is located outside bounds.

Sorry for my perhaps ambiguous english, it is not my native language.
Comment 1 Sam Lantinga 2017-01-01 00:15:09 UTC
Good catch. This is fixed, thanks!
https://hg.libsdl.org/SDL/rev/5f8d2376d5b2