Printf: impossible buffer overflow fix

When printing near the end of the buffer, there was an overflow in two cases:

(1) %c and size is zero
(2) %1N, %1I, %1I4, %1I6 (auto-fill field_width for Net or IP), size is
    more than actual length of the net/ip but less than the auto-filled
    field width.

Manual code examination showed that nothing could have ever triggered
this behavior. All older versions of BIRD, including BIRD 3 development
versions, are totally safe. This exact overflow has been found while
implementing a new feature in later commits.

diff --git a/lib/printf.c b/lib/printf.c
index 318e683c616562c2abd7dd5a2a71f451ee1bf043..0d2f95e8013cd79693c61a098b403394561d76f1 100644 (file)
--- a/lib/printf.c
+++ b/lib/printf.c
@@ -169,9 +169,9 @@ int bvsnprintf(char *buf, int size, const char *fmt, va_list args)
        int qualifier;          /* 'h' or 'l' for integer fields */
 
        for (start=str=buf ; *fmt ; ++fmt, size-=(str-start), start=str) {
+               if (!size)
+                       return -1;
                if (*fmt != '%') {
-                       if (!size)
-                               return -1;
                        *str++ = *fmt;
                        continue;
                }
@@ -272,7 +272,7 @@ int bvsnprintf(char *buf, int size, const char *fmt, va_list args)
                        len = strlen(s);
                        if (precision >= 0 && len > precision)
                                len = precision;
-                       if (len > size)
+                       if ((len > size) || (field_width > size))
                                return -1;
 
                        if (!(flags & LEFT))