[vlc-devel] [PATCH] vasprintf: stop HEAP exceptions
kenself at optusnet.com.au
Tue Jan 6 02:00:47 CET 2009
On Mon, 2009-01-05 at 17:05 +0100, R?mi Denis-Courmont wrote:
> What is this supposed to achieve? the buffer at <res> is exactly the
> right length to start with. In case the earlier vsnprintf()
> returned -1, this patch trades a heap overflow with an off-by-one
> overflow and causes the function to return an incorrect value.
I wish that were true but on Win32 for %p format vasprintf is allocating
buffer then overruns it.
It was also doing this for %S format which I have replaced with %s.
Here is what is happening:
With format of %p and input value of 0xaaaaL
vsnprintf produces "0paaaa" and returns a length of 6
vsprintf produces "0000AAAA" and returns a length of 8
So if vsprintf writes to the memory allocated on the basis of vsnprintf
it overflows by 2 characters
By using vsnprintf in the second call we can ensure the same string is
produced as in the first call so no overrun.
Interestingly using %lx format with input value of 0xaaaaL
vsnprintf produces "6b1a45170000aaaa" and returns a length of 16
vsprintf produces "aaaa" and returns a length of 4
Something is messed up in vsnprintf
I am compiling with mingw runtime 3.13 and
More information about the vlc-devel