Menu

#3 Module crashes during convert if string is long enough

open
accepted
nobody
None
5
2014-11-11
2014-11-11
No

Function str_write uses vsnprintf incorrectly:

From man about the functions vprintf(), vfprintf(), vsprintf(), vsnprintf():
"Because they invoke the va_arg macro, the value of ap is undefined after the call."

If string doesn't fit into 256 bytes, then buffer will be realloced and undefined ap will be used on next egg_vsnprintf call.

Possible fix:

diff -upr a/logs2html.mod/fileoperations.c b/logs2html.mod/fileoperations.c
--- a/logs2html.mod/fileoperations.c    2009-05-08 21:52:04.000000000 +0400
+++ b/logs2html.mod/fileoperations.c    2014-11-11 10:12:35.462330419 +0400
@@ -116,14 +116,14 @@ static void str_write(FILE *file, char *

    buffer = (char *)nmalloc(size);

-   va_start(ap, fstr);
    while (true) {
+       va_start(ap, fstr);
        nchars = egg_vsnprintf(buffer, size, fstr, ap);
+       va_end(ap);
        if (nchars < size) break;
        size *= 2;
        buffer = (char *)nrealloc(buffer, size);
    }
-   va_end(ap);

fwrite(buffer, sizeof(char), strlen(buffer), file);
nfree(buffer); buffer = NULL;

Discussion

  • Shmupsik

    Shmupsik - 2014-11-11
    • Status: open --> accepted
     
  • Shmupsik

    Shmupsik - 2014-11-11

    Thank you. Marked proposed solution as accepted, although I can't test it now.

     

Log in to post a comment.