diff options
| author | Gabriel Ravier <gabravier@gmail.com> | 2023-04-14 16:55:42 +0200 |
|---|---|---|
| committer | Rich Felker <dalias@aerifal.cx> | 2023-04-14 11:19:33 -0400 |
| commit | 4724793f96b163e95cb15e1b7374ff2b0434ed15 (patch) | |
| tree | 8dafdcab4bd48623579d6f28fd286a8b31a44b59 | |
| parent | c1b42c4a3a0324ec25877980f59db233fa420925 (diff) | |
| download | musl-4724793f96b163e95cb15e1b7374ff2b0434ed15.tar.gz | |
fix wide printf numbered argument buffer overflow
The nl_type and nl_arg arrays defined in vfwprintf may be accessed
with an index up to and including NL_ARGMAX, but they are only of size
NL_ARGMAX, meaning they may be written to or read from 1 element too
far.
| -rw-r--r-- | src/stdio/vfwprintf.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c index 18784113..53697701 100644 --- a/src/stdio/vfwprintf.c +++ b/src/stdio/vfwprintf.c @@ -347,8 +347,8 @@ overflow: int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap) { va_list ap2; - int nl_type[NL_ARGMAX] = {0}; - union arg nl_arg[NL_ARGMAX]; + int nl_type[NL_ARGMAX+1] = {0}; + union arg nl_arg[NL_ARGMAX+1]; int olderr; int ret; |