On Sat, 2007-05-19 at 23:33 +0300, Timo Sirainen wrote: > ~/src/git-1.5.1% grep +=.*snprintf *.c > builtin-grep.c: len += snprintf(argptr, > sizeof(randarg)-len, > builtin-grep.c: len += snprintf(argptr, > sizeof(randarg)-len, > builtin-grep.c: len += snprintf(argptr, sizeof(randarg)-len, > commit.c: i += snprintf(parents + i, sizeof(parents) - i - 1, " > %s", > commit.c: i += snprintf(parents + i, sizeof(parents) - i - 1, " > %s", > diff.c: len += snprintf(msg + len, sizeof(msg) - len, > diff.c: len += snprintf(msg + len, sizeof(msg) - len, > diff.c: len += snprintf(msg + len, sizeof(msg) - len, > diff.c: len += snprintf(msg + len, sizeof(msg) - len, > diff.c: len += snprintf(msg + len, sizeof(msg) - len, > diff.c: len += snprintf(msg + len, sizeof(msg) - len, "\n"); > path.c: len += vsnprintf(pathname + len, PATH_MAX - len, fmt, args); > > Every single one of those is wrong. Linux kernel's snprintf() handles > code like this safely, but libc doesn't.
Correcting myself a bit: Actually only diff.c was wrong, in other cases they checked the overflow.
signature.asc
Description: This is a digitally signed message part
