From 4724793f96b163e95cb15e1b7374ff2b0434ed15 Mon Sep 17 00:00:00 2001 From: Gabriel Ravier Date: Fri, 14 Apr 2023 16:55:42 +0200 Subject: fix wide printf numbered argument buffer overflow The nl_type and nl_arg arrays defined in vfwprintf may be accessed with an index up to and including NL_ARGMAX, but they are only of size NL_ARGMAX, meaning they may be written to or read from 1 element too far. --- src/stdio/vfwprintf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/stdio/vfwprintf.c b/src/stdio/vfwprintf.c index 18784113..53697701 100644 --- a/src/stdio/vfwprintf.c +++ b/src/stdio/vfwprintf.c @@ -347,8 +347,8 @@ overflow: int vfwprintf(FILE *restrict f, const wchar_t *restrict fmt, va_list ap) { va_list ap2; - int nl_type[NL_ARGMAX] = {0}; - union arg nl_arg[NL_ARGMAX]; + int nl_type[NL_ARGMAX+1] = {0}; + union arg nl_arg[NL_ARGMAX+1]; int olderr; int ret; -- cgit v1.2.3-70-g09d2