From: wessels <>
Date: Fri, 24 Apr 1998 02:11:09 +0000 (+0000)
Subject: Fixed snprintf() off-by-one bug and found out that snprintf()
X-Git-Tag: SQUID_3_0_PRE1~3448
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=461d2ef6be2ae032f07943fcf95168bc6c972d2d;p=thirdparty%2Fsquid.git

Fixed snprintf() off-by-one bug and found out that snprintf()
might emulate sprintf() behaviour with len == 0 args.

Now. we assert() that sprintf() length is >= 0.  If len == 0, then
strx_printv() silently returns, leaving the buffer untouched.
---

diff --git a/lib/snprintf.c b/lib/snprintf.c
index ec9a3cf987..c3c31f3cff 100644
--- a/lib/snprintf.c
+++ b/lib/snprintf.c
@@ -64,6 +64,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <math.h>
+#include <assert.h>
 
 #ifdef HAVE_CVT
 
@@ -887,12 +888,24 @@ strx_printv(int *ccp, char *buf, size_t len, const char *format,
     buffy od;
     int cc;
 
+    /*
+     * If someone calls snprintf(buf, 0, ...), then len == -1 here.
+     * Previously this code would assume an "unlimited" buffer size,
+     * thereby emulating sprintf().  Now we silently return and hope
+     * the caller doesn't expect us to terminate the buffer!
+     */
+    if (len < 0)
+	return;
     /*
      * First initialize the descriptor
      * Notice that if no length is given, we initialize buf_end to the
      * highest possible address.
      */
+#if OLD_CODE
     od.buf_end = len ? &buf[len] : (char *) ~0;
+#else
+    od.buf_end = &buf[len];
+#endif
     od.nextb = buf;
 
     /*
@@ -912,6 +925,7 @@ snprintf(char *buf, size_t len, const char *format,...)
 {
     int cc;
     va_list ap;
+    assert(len >= 0);
     va_start(ap, format);
     strx_printv(&cc, buf, (len - 1), format, ap);
     va_end(ap);
@@ -925,6 +939,7 @@ vsnprintf(char *buf, size_t len, const char *format,
     va_list ap)
 {
     int cc;
+    assert(len >= 0);
     strx_printv(&cc, buf, (len - 1), format, ap);
     return (cc);
 }