I think I stumbled upon a bug in the i_snprintf() function. In the case of
vnsprintf() being available, it depends on vnsprintf() returning -1 when the
string was longer than the passed-in limit (or it won't terminate the
string.). But this isn't the C99-standardized behaviour, and newer glibc's
don't do that anymore either, so you can end up with a non-terminated
string. This patch should fix it, I think.
Index: strfuncs.c
===================================================================
RCS file: /home/cvs/dovecot/src/lib/strfuncs.c,v
retrieving revision 1.14
diff -c -u -r1.14 strfuncs.c
--- strfuncs.c 20 Oct 2002 03:19:10 -0000 1.14
+++ strfuncs.c 23 Oct 2002 11:19:39 -0000
@@ -401,7 +401,7 @@
va_end(args);
t_pop();
- if (ret < 0) {
+ if (ret < 0 || ret >= max_chars) {
str[max_chars-1] = '\0';
ret = strlen(str);
}
--
Thomas Wouters