The Penguin of Evil on Nostr: C99 fun for the day If you use len = snprintf(NULL, 0, fmt, ....) to get the length ...
C99 fun for the day
If you use len = snprintf(NULL, 0, fmt, ....) to get the length of a partly user controlled input then the input length limit is a size_t bu the result is int. Thus you can persuade many systems to return a small integer value because size_t is 64bit and int is 32bit.
The code then usually mallocs a buffer (now a short one) and copies lots of user data into it.
eg the example in the Linux man page for using snprintf appears to be exploitable for user data
#security
If you use len = snprintf(NULL, 0, fmt, ....) to get the length of a partly user controlled input then the input length limit is a size_t bu the result is int. Thus you can persuade many systems to return a small integer value because size_t is 64bit and int is 32bit.
The code then usually mallocs a buffer (now a short one) and copies lots of user data into it.
eg the example in the Linux man page for using snprintf appears to be exploitable for user data
#security