From: Willy Tarreau <w@1wt.eu>
Date: Fri, 29 Mar 2019 18:13:23 +0000 (+0100)
Subject: MINOR: tools: make memvprintf() never pass a NULL target to vsnprintf()
X-Git-Tag: v2.0-dev3~363
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e0609f5f49f55b122e7da9bd1d3b1b786366e80c;p=thirdparty%2Fhaproxy.git

MINOR: tools: make memvprintf() never pass a NULL target to vsnprintf()

Most modern platforms don't touch the output buffer when the size
argument is null, but there exist a few old ones (like AIX 5 and
possibly Tru64) where the output will be dereferenced anyway, probably
to write the trailing null, crashing the process. memprintf() uses this
to measure the desired length.

There is a very simple workaround to this consisting in passing a pointer
to a character instead of a NULL pointer. It was confirmed to fix the issue
on AIX 5.1.
---

diff --git a/src/standard.c b/src/standard.c
index 03072b96b9..09bc155136 100644
--- a/src/standard.c
+++ b/src/standard.c
@@ -3577,12 +3577,14 @@ char *memvprintf(char **out, const char *format, va_list orig_args)
 		return NULL;
 
 	do {
+		char buf1;
+
 		/* vsnprintf() will return the required length even when the
 		 * target buffer is NULL. We do this in a loop just in case
 		 * intermediate evaluations get wrong.
 		 */
 		va_copy(args, orig_args);
-		needed = vsnprintf(ret, allocated, format, args);
+		needed = vsnprintf(ret ? ret : &buf1, allocated, format, args);
 		va_end(args);
 		if (needed < allocated) {
 			/* Note: on Solaris 8, the first iteration always