aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2016-10-08 20:47:04 +0200
committerDaniel Stenberg <daniel@haxx.se>2016-10-08 20:47:04 +0200
commit71588c9aef8112025c7525d20f57eb367a947344 (patch)
treec56860f704ba365861a835e7c789d8c8238867d5
parent8238ba9c5f10414a88f502bf3f5d5a42d632984c (diff)
mprintf: return error on too many arguments
128 arguments should be enough for everyone
-rw-r--r--lib/mprintf.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/lib/mprintf.c b/lib/mprintf.c
index 73f854bcb..dbedeaa18 100644
--- a/lib/mprintf.c
+++ b/lib/mprintf.c
@@ -227,10 +227,12 @@ static bool dprintf_IsQualifierNoDollar(const char *fmt)
* Create an index with the type of each parameter entry and its
* value (may vary in size)
*
+ * Returns zero on success.
+ *
******************************************************************/
-static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos,
- va_list arglist)
+static int dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos,
+ va_list arglist)
{
char *fmt = (char *)format;
int param_num = 0;
@@ -393,6 +395,10 @@ static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos,
i = this_param - 1;
+ if((i < 0) || (i >= MAX_PARAMETERS))
+ /* out of allowed range */
+ return 1;
+
switch (*fmt) {
case 'S':
flags |= FLAGS_ALT;
@@ -549,7 +555,7 @@ static long dprintf_Pass1(const char *format, va_stack_t *vto, char **endpos,
}
}
- return max_param;
+ return 0;
}
@@ -587,7 +593,8 @@ static int dprintf_formatf(
char *workend = &work[sizeof(work) - 2];
/* Do the actual %-code parsing */
- dprintf_Pass1(format, vto, endpos, ap_save);
+ if(dprintf_Pass1(format, vto, endpos, ap_save))
+ return -1;
end = &endpos[0]; /* the initial end-position from the list dprintf_Pass1()
created for us */
@@ -992,7 +999,7 @@ int curl_mvsnprintf(char *buffer, size_t maxlength, const char *format,
info.max = maxlength;
retcode = dprintf_formatf(&info, addbyter, format, ap_save);
- if(info.max) {
+ if((retcode != -1) && info.max) {
/* we terminate this with a zero byte */
if(info.max == info.length)
/* we're at maximum, scrap the last letter */