On Sat, 2007-05-19 at 23:33 +0300, Timo Sirainen wrote:
~/src/git-1.5.1% grep +=.*snprintf *.c builtin-grep.c: len += snprintf(argptr, sizeof(randarg)-len, builtin-grep.c: len += snprintf(argptr, sizeof(randarg)-len, builtin-grep.c: len += snprintf(argptr, sizeof(randarg)-len, commit.c: i += snprintf(parents + i, sizeof(parents) - i - 1, " %s", commit.c: i += snprintf(parents + i, sizeof(parents) - i - 1, " %s", diff.c: len += snprintf(msg + len, sizeof(msg) - len, diff.c: len += snprintf(msg + len, sizeof(msg) - len, diff.c: len += snprintf(msg + len, sizeof(msg) - len, diff.c: len += snprintf(msg + len, sizeof(msg) - len, diff.c: len += snprintf(msg + len, sizeof(msg) - len, diff.c: len += snprintf(msg + len, sizeof(msg) - len, "\n"); path.c: len += vsnprintf(pathname + len, PATH_MAX - len, fmt, args);
Every single one of those is wrong. Linux kernel's snprintf() handles code like this safely, but libc doesn't.
Correcting myself a bit: Actually only diff.c was wrong, in other cases they checked the overflow.