Here is an interesting one :-). Unfortunately I can't pass along a
test case, but I think
visual inspection of the code will be enough to see that f can be
beyond format[0] when
the snprintf() is called.
James M
+++ ./libdtrace/dt_printf.c 2008-07-28 16:54:04.000000000 -0700
@@ -1476,10 +1476,10 @@ dt_printf_format(dtrace_hdl_t *dtp, FILE
width = 0;
if (width != 0)
- f += snprintf(f, sizeof (format), "%d", ABS(width));
+ f += snprintf(f, sizeof (format) - (f - format), "%d",
ABS(width));
if (prec > 0)
- f += snprintf(f, sizeof (format), ".%d", prec);
+ f += snprintf(f, sizeof (format) - (f - format), ".%d",
prec);
_______________________________________________
dtrace-discuss mailing list
[email protected]
