diff options
| author | Sebastian Rasmussen <sebras@gmail.com> | 2018-02-13 02:33:32 +0100 |
|---|---|---|
| committer | Sebastian Rasmussen <sebras@gmail.com> | 2018-02-13 02:42:04 +0100 |
| commit | 7570d162477dc8efe67f4c31e93ed21bf8a3fd80 (patch) | |
| tree | b32bf58c4dadaed563fa380ef539df2255efacdd | |
| parent | 9d34a79511915498b1677dde4cd8d8254ece1ed7 (diff) | |
| download | mupdf-7570d162477dc8efe67f4c31e93ed21bf8a3fd80.tar.xz | |
Bug 699018: Null terminate buffer in fz_snprintf() even if too short.
Previously the trailing null terminator would not be written if the
formatted string ended up longer than the buffer.
| -rw-r--r-- | source/fitz/printf.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/source/fitz/printf.c b/source/fitz/printf.c index bbdda93f..95131ed1 100644 --- a/source/fitz/printf.c +++ b/source/fitz/printf.c @@ -474,13 +474,15 @@ fz_vsnprintf(char *buffer, size_t space, const char *fmt, va_list args) { struct snprintf_buffer out; out.p = buffer; - out.s = space; + out.s = space > 0 ? space - 1 : 0; out.n = 0; /* Note: using a NULL context is safe here */ fz_format_string(NULL, &out, snprintf_emit, fmt, args); - snprintf_emit(NULL, &out, 0); - return out.n - 1; + if (space > 0) + out.p[out.n < space ? out.n : space - 1] = '\0'; + + return out.n; } size_t @@ -489,16 +491,17 @@ fz_snprintf(char *buffer, size_t space, const char *fmt, ...) va_list ap; struct snprintf_buffer out; out.p = buffer; - out.s = space; + out.s = space > 0 ? space - 1 : 0; out.n = 0; va_start(ap, fmt); /* Note: using a NULL context is safe here */ fz_format_string(NULL, &out, snprintf_emit, fmt, ap); - snprintf_emit(NULL, &out, 0); + if (space > 0) + out.p[out.n < space ? out.n : space - 1] = '\0'; va_end(ap); - return out.n - 1; + return out.n; } char * |