RepoMirrors
/
musl
mirror of git://git.musl-libc.org/musl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix wide printf numbered argument buffer overflow 

The nl_type and nl_arg arrays defined in vfwprintf may be accessed
with an index up to and including NL_ARGMAX, but they are only of size
NL_ARGMAX, meaning they may be written to or read from 1 element too
far.
This commit is contained in:
Gabriel Ravier 2023-04-14 16:55:42 +02:00 committed by Rich Felker
parent c1b42c4a3a
commit 4724793f96
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/stdio/vfwprintf.c
View File

@ -347,8 +347,8 @@ overflow:
int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
{
va_list ap2;
int nl_type[NL_ARGMAX] = {0};
union arg nl_arg[NL_ARGMAX];
int nl_type[NL_ARGMAX+1] = {0};
union arg nl_arg[NL_ARGMAX+1];
int olderr;
int ret;