Fix buffer overflows in doprnt (bug#75900)

* src/doprnt.c (doprnt): Clear rest of buffer on multibyte overflow. Always decrement bufsize when writing a byte.
2025-01-27 13:05:07 -08:00 · 2025-01-27 13:05:07 -08:00 · 0ed913cf46
commit 0ed913cf46
parent 9b2e230c06
1 changed files with 7 additions and 2 deletions
--- a/src/doprnt.c
+++ b/src/doprnt.c
@ -447,7 +447,8 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
 		  while (tem != 0);

 		  memcpy (bufptr, string, tem);
-		  bufptr[tem] = 0;
+		  while (tem < bufsize)
+		    bufptr[tem++] = 0;
 		  /* Trigger exit from the loop, but make sure we
 		     return to the caller a value which will indicate
 		     that the buffer was too small.  */
@ -499,6 +500,7 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
 	    fmtchar = '\'';

 	  *bufptr++ = fmtchar;
+	  bufsize--;
 	  continue;
 	}
      else
@ -524,7 +526,10 @@ doprnt (char *buffer, ptrdiff_t bufsize, const char *format,
      else
 	{
 	  do
-	    *bufptr++ = *src++;
+	    {
+	      *bufptr++ = *src++;
+	      bufsize--;
+	    }
 	  while (--srclen != 0);
 	}
    }