about summary refs log tree commit diff
diff options
context:
space:
mode:
authorGabriel Ravier <gabravier@gmail.com>2023-04-14 16:55:42 +0200
committerRich Felker <dalias@aerifal.cx>2023-04-14 11:19:33 -0400
commit4724793f96b163e95cb15e1b7374ff2b0434ed15 (patch)
tree8dafdcab4bd48623579d6f28fd286a8b31a44b59
parentc1b42c4a3a0324ec25877980f59db233fa420925 (diff)
downloadmusl-4724793f96b163e95cb15e1b7374ff2b0434ed15.tar.gz
musl-4724793f96b163e95cb15e1b7374ff2b0434ed15.tar.xz
musl-4724793f96b163e95cb15e1b7374ff2b0434ed15.zip
fix wide printf numbered argument buffer overflow
The nl_type and nl_arg arrays defined in vfwprintf may be accessed
with an index up to and including NL_ARGMAX, but they are only of size
NL_ARGMAX, meaning they may be written to or read from 1 element too
far.
-rw-r--r--src/stdio/vfwprintf.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c
index 18784113..53697701 100644
--- a/src/stdio/vfwprintf.c
+++ b/src/stdio/vfwprintf.c
@@ -347,8 +347,8 @@ overflow:
 int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap)
 {
 	va_list ap2;
-	int nl_type[NL_ARGMAX] = {0};
-	union arg nl_arg[NL_ARGMAX];
+	int nl_type[NL_ARGMAX+1] = {0};
+	union arg nl_arg[NL_ARGMAX+1];
 	int olderr;
 	int ret;