lib/vsprintf: pointer handling fixes for bstr_printf() and vbin_printf()

[PATCH v2 2/2] lib/vsprintf: fix OOB write in vbin_printf() when size is zero

Posted by Josh Law 1 day, 14 hours ago

When vbin_printf() is called with size==0, end equals bin_buf and
the else branch writes end[-1], which is one byte before the buffer.

Guard the write so it only happens when the buffer is non-empty.

Signed-off-by: Josh Law <objecting@objecting.org>
---
 lib/vsprintf.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/vsprintf.c b/lib/vsprintf.c
index 7898fb998b21..b879babaf8c2 100644
--- a/lib/vsprintf.c
+++ b/lib/vsprintf.c
@@ -3234,7 +3234,7 @@ int vbin_printf(u32 *bin_buf, size_t size, const char *fmt_str, va_list args)
 					      spec);
 				if (str + 1 < end)
 					*str++ = '\0';
-				else
+				else if (size) /* do nothing if size is zero */
 					end[-1] = '\0'; /* Must be nul terminated */
 			}
 			/* skip all alphanumeric pointer suffixes */
-- 
2.34.1

[PATCH v2 1/2] lib/vsprintf: always advance args in bstr_printf() pointer path
[PATCH v2 2/2] lib/vsprintf: fix OOB write in vbin_printf() when size is zero