https://sourceware.org/git/gitweb.cgi?p=newlib-cygwin.git;h=44499712954d7450262da9db4ee4219e40b1aaac
commit 44499712954d7450262da9db4ee4219e40b1aaac Author: Michael Haubenwallner <[email protected]> Date: Mon Oct 9 18:57:58 2017 +0200 cygwin: fix potential buffer overflow in small_sprintf With "%C" format string, argument may convert in up to MB_LEN_MAX bytes. Relying on sys_wcstombs to add a trailing zero here requires us to provide a large enough buffer. * smallprint.c (__small_vsprintf): Use MB_LEN_MAX+1 bufsize for "%C". Diff: --- winsup/cygwin/smallprint.cc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/winsup/cygwin/smallprint.cc b/winsup/cygwin/smallprint.cc index 3cec31c..8553f70 100644 --- a/winsup/cygwin/smallprint.cc +++ b/winsup/cygwin/smallprint.cc @@ -193,8 +193,8 @@ __small_vsprintf (char *dst, const char *fmt, va_list ap) case 'C': { WCHAR wc = (WCHAR) va_arg (ap, int); - char buf[4], *c; - sys_wcstombs (buf, 4, &wc, 1); + char buf[MB_LEN_MAX+1] = "", *c; + sys_wcstombs (buf, MB_LEN_MAX+1, &wc, 1); for (c = buf; *c; ++c) *dst++ = *c; }
