From ab882df7b1b5ac012f956cfe553a50e3cb5cb4aa Mon Sep 17 00:00:00 2001 From: Sam Hocevar Date: Sun, 9 Sep 2012 15:00:05 +0000 Subject: [PATCH] string: fix a potential memory corruption with caca_printf() calls done outside the canvas. --- caca/string.c | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/caca/string.c b/caca/string.c index d583635..16a25eb 100644 --- a/caca/string.c +++ b/caca/string.c @@ -315,7 +315,7 @@ int caca_printf(caca_canvas_t *cv, int x, int y, char const *format, ...) * * Format a string at the given coordinates, using the default foreground * and background values. The coordinates may be outside the canvas - * boundaries (eg. a negative Y coordinate) and the string will be cropped + * boundaries (eg. a negative X coordinate) and the string will be cropped * accordingly if it is too long. The syntax of the format string is the * same as for the C vprintf() function. * @@ -337,19 +337,22 @@ int caca_vprintf(caca_canvas_t *cv, int x, int y, char const *format, { char tmp[BUFSIZ]; char *buf = tmp; - int ret; + int bufsize = BUFSIZ, ret; if(cv->width - x + 1 > BUFSIZ) - buf = malloc(cv->width - x + 1); + { + bufsize = cv->width - x + 1; + buf = malloc(bufsize); + } #if defined(HAVE_VSNPRINTF_S) - vsnprintf_s(buf, cv->width - x + 1, _TRUNCATE, format, args); + vsnprintf_s(buf, bufsize, _TRUNCATE, format, args); #elif defined(HAVE_VSNPRINTF) - vsnprintf(buf, cv->width - x + 1, format, args); + vsnprintf(buf, bufsize, format, args); #else vsprintf(buf, format, args); #endif - buf[cv->width - x] = '\0'; + buf[bufsize - 1] = '\0'; ret = caca_put_str(cv, x, y, buf);