We are currently migrating Bugzilla to GitHub issues.
Any changes made to the bug tracker now will be lost, so please do not post new bugs or make changes to them.
When we're done, all bug URLs will redirect to their equivalent location on the new bug tracker.

Bug 3441 - Buffer overflow in internal SDL_vsnprintf()
Summary: Buffer overflow in internal SDL_vsnprintf()
Status: RESOLVED FIXED
Alias: None
Product: SDL
Classification: Unclassified
Component: *don't know* (show other bugs)
Version: HG 2.0
Hardware: All Windows (All)
: P2 major
Assignee: Ryan C. Gordon
QA Contact: Sam Lantinga
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-02 16:28 UTC by Taylor Richards
Modified: 2016-10-04 18:26 UTC (History)
0 users

See Also:

Attachments
SDL_vsnprintf() fixes (2.21 KB, patch)
2016-10-02 16:28 UTC, Taylor Richards 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Taylor Richards 2016-10-02 16:28:56 UTC 
Created attachment 2571 [details]
SDL_vsnprintf() fixes

When using internal SDL_vsnprintf(), and source string length is greater than destination, the final NULL char will be written beyond destination size.

Primary issue that is SDL_strlcpy returns length of source string (SDL_PrintString()), not how much is written to destination. The destination ptr is then incremented by this length before the sanity check is done. Destination string is properly terminated, but an extra NULL char will be written beyond destination buffer length.

Patch used internally is attached which fixes primary issue with SDL_strlcpy() in SDL_PrintString() and adjusts sanity checks to increment destination ptr safely.
Comment 1 Ryan C. Gordon 2016-10-04 18:26:07 UTC 
This patch is now https://hg.libsdl.org/SDL/rev/87cf824a5508, thanks!

--ryan.