tcDspFirmware::print_version_info() writes past end of buffer

Added by John Cumming about 7 years ago

print_version_info() can write more bytes than the 'anMaxLen' argument. The workaround is to pass it a large enough buffer, one that holds the full version string.

The declaration is
    static void print_version_info(void *apCoreAddr, char *apString=(char *)NULL, int anMaxLen=0);

Not knowing what size to allow, I called it with print_version_info(NULL, bufPtr, 40). It wanted to print about 72 chars to bufPtr.

It uses snprintf() to print the version info, a part at a time. It increases 'offset' to know where to write the next part into apString, and 'bytes_left' to track the remaining bytes to write. Like,
    rv = snprintf(&apString[offset], bytes_left, "Version %d.%02d:", cv.ver1.bits.major, cv.ver1.bits.minor);
    bytes_left -= rv;
    offset += rv;

Unfortunately, snprintf() doesn't return the number of bytes written. It returns the number of bytes that would have been written, excluding the terminating null, if there was no space limit.

The result is that bytes_left goes negative, instead of stopping the printing when bytes_left reaches zero. snprintf treats the negative number as a very big unsigned int. And therefore writes more than 'anMaxLen' bytes to 'apString'.


Replies (1)

RE: tcDspFirmware::print_version_info() writes past end of buffer - Added by Michael Williamson about 7 years ago

Hi John,

Thanks for the information, we'll patch this up for the next release. I'm very sorry for the bug (and curious why our SA tool didn't catch this one).


    Add picture from clipboard (Maximum size: 600 MB)