Fixed snprintf() off-by-one bug and found out that snprintf()

might emulate sprintf() behaviour with len == 0 args.

Now. we assert() that sprintf() length is >= 0.  If len == 0, then
strx_printv() silently returns, leaving the buffer untouched.

diff --git a/lib/snprintf.c b/lib/snprintf.c
index ec9a3cf98752c566982971d18c998808ae94efa9..c3c31f3cfffa7b0333283dce1c810f0dcdb89d8c 100644 (file)
--- a/lib/snprintf.c
+++ b/lib/snprintf.c
@@ -64,6 +64,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <math.h>
+#include <assert.h>
 
 #ifdef HAVE_CVT
 
@@ -887,12 +888,24 @@ strx_printv(int *ccp, char *buf, size_t len, const char *format,
     buffy od;
     int cc;
 
+    /*
+     * If someone calls snprintf(buf, 0, ...), then len == -1 here.
+     * Previously this code would assume an "unlimited" buffer size,
+     * thereby emulating sprintf().  Now we silently return and hope
+     * the caller doesn't expect us to terminate the buffer!
+     */
+    if (len < 0)
+       return;
     /*
      * First initialize the descriptor
      * Notice that if no length is given, we initialize buf_end to the
      * highest possible address.
      */
+#if OLD_CODE
     od.buf_end = len ? &buf[len] : (char *) ~0;
+#else
+    od.buf_end = &buf[len];
+#endif
     od.nextb = buf;
 
     /*
@@ -912,6 +925,7 @@ snprintf(char *buf, size_t len, const char *format,...)
 {
     int cc;
     va_list ap;
+    assert(len >= 0);
     va_start(ap, format);
     strx_printv(&cc, buf, (len - 1), format, ap);
     va_end(ap);
@@ -925,6 +939,7 @@ vsnprintf(char *buf, size_t len, const char *format,
     va_list ap)
 {
     int cc;
+    assert(len >= 0);
     strx_printv(&cc, buf, (len - 1), format, ap);
     return (cc);
 }