Skip to content

Commit

Permalink
Fix a potential buffer overflow in the logging code (Issue #272)
Browse files Browse the repository at this point in the history
  • Loading branch information
@michaelrsweet
michaelrsweet committed Apr 12, 2023
1 parent 0ae7f96 commit 9637431
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 6 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ Changes in v1.4.0
- Added new `papplDeviceRemoveScheme` and `papplDeviceRemoveTypes` APIs to
disable unwanted device types (Issue #259)
- Fixed printing of 1/2/4-bit grayscale PNG images (Issue #267)
- Fixed a potential buffer overflow in the logging code (Issue #272)
- Updated the `options` sub-command to list vendor options and values
(Issue #255)
- Updated web interface to show the age of jobs (Issue #256)
Expand Down
12 changes: 6 additions & 6 deletions pappl/log.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -565,7 +565,7 @@ write_log(pappl_system_t *system, // I - System
case 'e' :
case 'f' :
case 'g' :
snprintf(bufptr, (size_t)(bufptr - bufend + 1), tformat, va_arg(ap, double));
snprintf(bufptr, (size_t)(bufend - bufptr), tformat, va_arg(ap, double));
bufptr += strlen(bufptr);
break;

Expand All @@ -579,18 +579,18 @@ write_log(pappl_system_t *system, // I - System
case 'x' :
# ifdef HAVE_LONG_LONG
if (size == 'L')
snprintf(bufptr, (size_t)(bufptr - bufend + 1), tformat, va_arg(ap, long long));
snprintf(bufptr, (size_t)(bufend - bufptr), tformat, va_arg(ap, long long));
else
# endif // HAVE_LONG_LONG
if (size == 'l')
snprintf(bufptr, (size_t)(bufptr - bufend + 1), tformat, va_arg(ap, long));
snprintf(bufptr, (size_t)(bufend - bufptr), tformat, va_arg(ap, long));
else
snprintf(bufptr, (size_t)(bufptr - bufend + 1), tformat, va_arg(ap, int));
snprintf(bufptr, (size_t)(bufend - bufptr), tformat, va_arg(ap, int));
bufptr += strlen(bufptr);
break;

case 'p' : // Log a pointer
snprintf(bufptr, (size_t)(bufptr - bufend + 1), "%p", va_arg(ap, void *));
snprintf(bufptr, (size_t)(bufend - bufptr), "%p", va_arg(ap, void *));
bufptr += strlen(bufptr);
break;

Expand Down Expand Up @@ -651,7 +651,7 @@ write_log(pappl_system_t *system, // I - System
break;

default : // Something else we don't support
papplCopyString(bufptr, tformat, (size_t)(bufptr - bufend + 1));
papplCopyString(bufptr, tformat, (size_t)(bufend - bufptr));
bufptr += strlen(bufptr);
break;
}
Expand Down

4 comments on commit 9637431

@kloczek
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO it would be noce to release new version because that commit.
Possible? 😋

@michaelrsweet
Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kloczek i plan on doing so as soon as my schedule allows…

@kloczek
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you 👍

@zdohnal
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTR Fedora has this fix backported, the update is in updates-testing.

Please sign in to comment.