Bug 4907 - String overflow via [_]vsprintf
Status: RESOLVED FIXED
Alias: None
Product: ioquake3
Classification: Unclassified
Component: Misc
Version: GIT MASTER
Hardware: PC Windows XP
: P3 critical
Assignee: Zachary J. Slater
QA Contact: ioquake3 bugzilla mailing list
URL:
Depends on:
Blocks:
 
Reported: 2011-02-15 17:22 EST by Eugene C.
Modified: 2011-02-23 11:19:32 EST
1 user (show)

See Also:

Attachments
partial fix (6.53 KB, patch)
2011-02-15 17:22 EST, Eugene C.
engine fix (6.56 KB, patch)
2011-02-18 15:52 EST, Eugene C.

Description Eugene C. 2011-02-15 17:22:57 EST 
Created attachment 2613 [details]
partial fix

Looks like MSVC' implementation of [_]vsprintf() function doesn't put final '\0' in case of text overflow - means resulting string becomes unterminated, also it returns -1 in that case. Bug affects mingw builds too (imports msvcrt.dll)

Suggested solution is for engine only atm
Comment 1 Eugene C. 2011-02-15 17:32:30 EST 
_vsnprintf not _vsprintf of course
Comment 2 Eugene C. 2011-02-18 15:52:10 EST 
Created attachment 2616 [details]
engine fix

updated fix
Comment 3 Thilo Schulz 2011-02-23 11:19:32 EST 
Thanks for bringing this to our attention. Your fix is very inconvenient though, I didn't use it. Fixed in r1899