From 1650eb043f2f014fc31fced2fbcecf3b724fa700 Mon Sep 17 00:00:00 2001
From: Arne Goedeke <el@laramies.com>
Date: Wed, 5 Sep 2012 14:32:09 +0200
Subject: [PATCH] Fixed an overrun when passing untermindated pad strings to
 sprintf

---
 src/modules/sprintf/sprintf.c | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/src/modules/sprintf/sprintf.c b/src/modules/sprintf/sprintf.c
index 000e82af88..d33b94debe 100644
--- a/src/modules/sprintf/sprintf.c
+++ b/src/modules/sprintf/sprintf.c
@@ -1218,7 +1218,7 @@ static void low_pike_sprintf(struct format_stack *fs,
 	  fprintf(stderr, "Sprinf-glop: %d (%c)\n",
 		  INDEX_PCHARP(a,tmp), INDEX_PCHARP(a,tmp));
 #endif
-	  if(COMPARE_PCHARP(a,>=,format_end))
+	  if(COMPARE_PCHARP(ADD_PCHARP(a, tmp),>=,format_end))
 	    sprintf_error(fs, "Unfinished pad string in format string.\n");
 	}
 	if(tmp)
@@ -2089,16 +2089,20 @@ static int push_sprintf_argument_types(PCHARP format, ptrdiff_t format_len,
 
       case '\'':
 	tmp=0;
-	for(INC_PCHARP(a,1);INDEX_PCHARP(a,tmp)!='\'';tmp++)
-	{
-	  if(COMPARE_PCHARP(a,>=,format_end)) {
+	for(INC_PCHARP(a,1);
+	    COMPARE_PCHARP(ADD_PCHARP(a, tmp),<,format_end)
+	    && INDEX_PCHARP(a,tmp)!='\'';tmp++);
+
+	if (COMPARE_PCHARP(ADD_PCHARP(a, tmp),<,format_end)) {
+	    INC_PCHARP(a,tmp);
+	    continue;
+	} else {
+	    INC_PCHARP(a,tmp);
 	    yyreport(severity, type_check_system_string,
 		     0, "Unfinished pad string in format string.");
 	    ret = -1;
-	  }
+	    break;
 	}
-	INC_PCHARP(a,tmp);
-	continue;
 
       case '~':
       {
-- 
GitLab