From 7570d162477dc8efe67f4c31e93ed21bf8a3fd80 Mon Sep 17 00:00:00 2001
From: Sebastian Rasmussen <sebras@gmail.com>
Date: Tue, 13 Feb 2018 02:33:32 +0100
Subject: Bug 699018: Null terminate buffer in fz_snprintf() even if too short.

Previously the trailing null terminator would not be written if the
formatted string ended up longer than the buffer.
---
 source/fitz/printf.c | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/source/fitz/printf.c b/source/fitz/printf.c
index bbdda93f..95131ed1 100644
--- a/source/fitz/printf.c
+++ b/source/fitz/printf.c
@@ -474,13 +474,15 @@ fz_vsnprintf(char *buffer, size_t space, const char *fmt, va_list args)
 {
 	struct snprintf_buffer out;
 	out.p = buffer;
-	out.s = space;
+	out.s = space > 0 ? space - 1 : 0;
 	out.n = 0;
 
 	/* Note: using a NULL context is safe here */
 	fz_format_string(NULL, &out, snprintf_emit, fmt, args);
-	snprintf_emit(NULL, &out, 0);
-	return out.n - 1;
+	if (space > 0)
+		out.p[out.n < space ? out.n : space - 1] = '\0';
+
+	return out.n;
 }
 
 size_t
@@ -489,16 +491,17 @@ fz_snprintf(char *buffer, size_t space, const char *fmt, ...)
 	va_list ap;
 	struct snprintf_buffer out;
 	out.p = buffer;
-	out.s = space;
+	out.s = space > 0 ? space - 1 : 0;
 	out.n = 0;
 
 	va_start(ap, fmt);
 	/* Note: using a NULL context is safe here */
 	fz_format_string(NULL, &out, snprintf_emit, fmt, ap);
-	snprintf_emit(NULL, &out, 0);
+	if (space > 0)
+		out.p[out.n < space ? out.n : space - 1] = '\0';
 	va_end(ap);
 
-	return out.n - 1;
+	return out.n;
 }
 
 char *
-- 
cgit v1.2.3