[MEDIUM] ensure we never overflow in chunk_printf()

The result of the vsnprintf() called in chunk_printf() must be checked,
and should be added only if lower than the requested size. We simply
return zero if we cannot write the chunk.

diff --git a/src/buffers.c b/src/buffers.c
index 658539c3ada5dd184e91d1552c2e305e63c29683..8b2c4d33eb34ac9f6094563eca08a6264443022c 100644 (file)
--- a/src/buffers.c
+++ b/src/buffers.c
@@ -193,9 +193,15 @@ int buffer_insert_line2(struct buffer *b, char *pos, const char *str, int len)
 int chunk_printf(struct chunk *chk, int size, const char *fmt, ...)
 {
        va_list argp;
+       int ret;
 
        va_start(argp, fmt);
-       chk->len += vsnprintf(chk->str + chk->len, size - chk->len, fmt, argp);
+       ret = vsnprintf(chk->str + chk->len, size - chk->len, fmt, argp);
+       if (ret >= size - chk->len)
+               /* do not copy anything in case of truncation */
+               chk->str[chk->len] = 0;
+       else
+               chk->len += ret;
        va_end(argp);
        return chk->len;
 }