Skip to content

Commit

Permalink
FIX: Fix buffer size when calling snprintf() with leading whitespace …
Browse files Browse the repository at this point in the history 
…and integer value.
  • Loading branch information
@uhm0311 @jhpark816
uhm0311 authored and jhpark816 committed Aug 21, 2024
1 parent 589a5d4 commit 69ac3b6
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 6 deletions.
4 changes: 2 additions & 2 deletions libmemcached/auto.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,15 +73,15 @@ static memcached_return_t text_incr_decr(memcached_st *ptr,
return memcached_set_error(*ptr, MEMCACHED_BAD_KEY_PROVIDED, MEMCACHED_AT);
}

char offset_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH +1];
char offset_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH + 1 + 1]; // 1 for space, 1 for null termination
int offset_buffer_length= snprintf(offset_buffer, sizeof(offset_buffer), " %" PRIu64, offset);
if (size_t(offset_buffer_length) >= sizeof(offset_buffer) or offset_buffer_length < 0)
{
return memcached_set_error(*ptr, MEMCACHED_MEMORY_ALLOCATION_FAILURE, MEMCACHED_AT,
memcached_literal_param("snprintf(MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH)"));
}

char initial_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH*3 +3];
char initial_buffer[(MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH + 1)*3 + 1]; // 1 for each space, 1 for null termination
int initial_buffer_length= 0;
if (create)
{
Expand Down
8 changes: 4 additions & 4 deletions libmemcached/storage.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -321,31 +321,31 @@ static memcached_return_t memcached_send_ascii(memcached_st *ptr,
const uint64_t cas,
memcached_storage_action_t verb)
{
char flags_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH +1];
char flags_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH + 1 + 1]; // 1 for space, 1 for null termination
int flags_buffer_length= snprintf(flags_buffer, sizeof(flags_buffer), " %u", flags);
if (size_t(flags_buffer_length) >= sizeof(flags_buffer) or flags_buffer_length < 0)
{
return memcached_set_error(*ptr, MEMCACHED_MEMORY_ALLOCATION_FAILURE, MEMCACHED_AT,
memcached_literal_param("snprintf(MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH)"));
}

char expiration_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH +1];
char expiration_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH + 1 + 1]; // 1 for space, 1 for null termination
int expiration_buffer_length= snprintf(expiration_buffer, sizeof(expiration_buffer), " %lld", (long long)expiration);
if (size_t(expiration_buffer_length) >= sizeof(expiration_buffer) or expiration_buffer_length < 0)
{
return memcached_set_error(*ptr, MEMCACHED_MEMORY_ALLOCATION_FAILURE, MEMCACHED_AT,
memcached_literal_param("snprintf(MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH)"));
}

char value_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH +1];
char value_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH + 1 + 1]; // 1 for space, 1 for null termination
int value_buffer_length= snprintf(value_buffer, sizeof(value_buffer), " %lu", (unsigned long)value_length);
if (size_t(value_buffer_length) >= sizeof(value_buffer) or value_buffer_length < 0)
{
return memcached_set_error(*ptr, MEMCACHED_MEMORY_ALLOCATION_FAILURE, MEMCACHED_AT,
memcached_literal_param("snprintf(MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH)"));
}

char cas_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH +1];
char cas_buffer[MEMCACHED_MAXIMUM_INTEGER_DISPLAY_LENGTH + 1 + 1]; // 1 for space, 1 for null termination
int cas_buffer_length= 0;
if (cas)
{
Expand Down

0 comments on commit 69ac3b6

Please sign in to comment.