[vlc-devel] [PATCH] vasprintf: stop HEAP exceptions

ken kenself at optusnet.com.au
Tue Jan 6 02:00:47 CET 2009


On Mon, 2009-01-05 at 17:05 +0100, R?mi Denis-Courmont wrote:
> What is this supposed to achieve? the buffer at <res> is exactly the 
> right length to start with. In case the earlier vsnprintf() 
> returned -1, this patch trades a heap overflow with an off-by-one 
> overflow and causes the function to return an incorrect value.

I wish that were true but on Win32 for %p format vasprintf is allocating
buffer then overruns it.
It was also doing this for %S format which I have replaced with %s.

Here is what is happening:
With format of %p and input value of 0xaaaaL
vsnprintf produces "0paaaa" and returns a length of 6
vsprintf produces "0000AAAA" and returns a length of 8
So if vsprintf writes to the memory allocated on the basis of vsnprintf
it overflows by 2 characters

By using vsnprintf in the second call we can ensure the same string is
produced as in the first call so no overrun.

Interestingly using %lx format with input value of 0xaaaaL
vsnprintf produces "6b1a45170000aaaa" and returns a length of 16
vsprintf produces "aaaa" and returns a length of 4

Something is messed up in vsnprintf

I am compiling with mingw runtime 3.13 and 
i586-mingw32msvc-gcc 4.2.1-sjlj 

regards
Ken




More information about the vlc-devel mailing list