Fix potential buffer overflow in `sprintf.c`.

author: Yukihiro "Matz" Matsumoto <[email protected]> 2020-06-20 18:56:33 +0900
committer: Yukihiro "Matz" Matsumoto <[email protected]> 2020-06-20 18:56:33 +0900
commit: d40b922c9803a8ab9ed60108d693940bd31f95b3 (patch)
tree: a21bb69e74d077ae92a55bd1288b15271a7c778b /mrbgems/mruby-sprintf/src
parent: 28e793496a4be0609837e25aa16a3f3ebe402e33 (diff)
download: mruby-d40b922c9803a8ab9ed60108d693940bd31f95b3.tar.gz
mruby-d40b922c9803a8ab9ed60108d693940bd31f95b3.zip
1 files changed, 3 insertions, 3 deletions
diff --git a/mrbgems/mruby-sprintf/src/sprintf.c b/mrbgems/mruby-sprintf/src/sprintf.c
index 9a7671a24..bf7a4d725 100644
--- a/mrbgems/mruby-sprintf/src/sprintf.c
+++ b/mrbgems/mruby-sprintf/src/sprintf.c
@@ -842,7 +842,7 @@ retry:
       case 'B':
       case 'u': {
         mrb_value val = GETARG();
-        char nbuf[68], *s;
+        char nbuf[69], *s;
         const char *prefix = NULL;
         int sign = 0, dots = 0;
         char sc = 0;
@@ -914,7 +914,7 @@ retry:
             width--;
           }
           mrb_assert(base == 10);
-          mrb_int2str(nbuf, sizeof(nbuf), v);
+          mrb_int2str(nbuf, sizeof(nbuf)-1, v);
           s = nbuf;
           if (v < 0) s++;       /* skip minus sign */
         }
@@ -927,7 +927,7 @@ retry:
           else {
             val = mrb_fixnum_to_str(mrb, mrb_fixnum_value(v), base);
           }
-          strncpy(++s, RSTRING_PTR(val), sizeof(nbuf)-1);
+          strncpy(++s, RSTRING_PTR(val), sizeof(nbuf)-2);
           if (v < 0) {
             char d;
author	Yukihiro "Matz" Matsumoto <[email protected]>	2020-06-20 18:56:33 +0900
committer	Yukihiro "Matz" Matsumoto <[email protected]>	2020-06-20 18:56:33 +0900
commit	d40b922c9803a8ab9ed60108d693940bd31f95b3 (patch)
tree	a21bb69e74d077ae92a55bd1288b15271a7c778b /mrbgems/mruby-sprintf/src
parent	28e793496a4be0609837e25aa16a3f3ebe402e33 (diff)
download	mruby-d40b922c9803a8ab9ed60108d693940bd31f95b3.tar.gz mruby-d40b922c9803a8ab9ed60108d693940bd31f95b3.zip