diff options
author | Daniel Stenberg <daniel@haxx.se> | 2016-10-08 20:47:04 +0200 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2016-10-08 20:47:04 +0200 |
commit | 71588c9aef8112025c7525d20f57eb367a947344 (patch) | |
tree | c56860f704ba365861a835e7c789d8c8238867d5 | |
parent | 8238ba9c5f10414a88f502bf3f5d5a42d632984c (diff) |
mprintf: return error on too many arguments
128 arguments should be enough for everyone
-rw-r--r-- | lib/mprintf.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/lib/mprintf.c b/lib/mprintf.c index 73f854bcb..dbedeaa18 100644 --- a/lib/mprintf.c +++ b/lib/mprintf.c @@ -227,10 +227,12 @@ static bool dprintf_IsQualifierNoDollar(const char *fmt) * Create an index with the type of each parameter entry and its * value (may vary in size) * + * Returns zero on success. + * ******************************************************************/ -static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos, - va_list arglist) +static int dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos, + va_list arglist) { char *fmt = (char *)format; int param_num = 0; @@ -393,6 +395,10 @@ static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos, i = this_param - 1; + if((i < 0) || (i >= MAX_PARAMETERS)) + /* out of allowed range */ + return 1; + switch (*fmt) { case 'S': flags |= FLAGS_ALT; @@ -549,7 +555,7 @@ static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos, } } - return max_param; + return 0; } @@ -587,7 +593,8 @@ static int dprintf_formatf( char *workend = &work[sizeof(work) - 2]; /* Do the actual %-code parsing */ - dprintf_Pass1(format, vto, endpos, ap_save); + if(dprintf_Pass1(format, vto, endpos, ap_save)) + return -1; end = &endpos[0]; /* the initial end-position from the list dprintf_Pass1() created for us */ @@ -992,7 +999,7 @@ int curl_mvsnprintf(char *buffer, size_t maxlength, const char *format, info.max = maxlength; retcode = dprintf_formatf(&info, addbyter, format, ap_save); - if(info.max) { + if((retcode != -1) && info.max) { /* we terminate this with a zero byte */ if(info.max == info.length) /* we're at maximum, scrap the last letter */ |