New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

string memory corruption on long path names > ~200 characters (Origin: bugzilla #640646) #4112

doxygen opened this Issue Jul 2, 2018 · 0 comments


None yet
1 participant

doxygen commented Jul 2, 2018

status RESOLVED severity major in component general for ---
Reported in version 1.7.3 on platform Other
Assigned to: Dimitri van Heesch

Original attachment names and IDs:

On 2011-01-26 15:45:24 +0000, Matthias Gerstner wrote:

Created attachment 179378
fix length limitation of vsprintf() by using two pass vsnprintf() approach

While attempting to build doxygen documentation for a large software project I encountered memory corruption in realloc() that caused execution to abort.

A debugging session showed that doxygen was trying to print a warning in doxygen.cpp:685 for a path that is longer than about 200 characters.

A further analysis showed that the problem is rooted in SCString::sprintf( const char*, ...) in qtools/scstring.cpp:152. The function temporarily increases the string object size to at least 256 characters and then calls vsprintf() for the given arguments.

In my case the string argument was longer than 200 characters causing the "minlen" of 256 characters to be overflowed and the heap being corrupted. The following resize operation using realloc() then causes the program to crash.

I've attached a simple bugfix for SCString::sprintf( const char*, ...) that adds a two-pass operation using vsnprintf(). The first pass determines the number of characters that the given format string will require, then the string is resized accordingly. The second pass then performs the actual printing.

In my tests this fixed the crash and building documentation was possible again. The patch might, however, require more tuning. I couldn't determine whether the two-pass operation is supported under all circumstances by vsnprintf. The man pages are a tad unclear about that. Also the MS Windows CRT traditionally has got limitations regarding such C99 functionality.

Best regards,


On 2011-01-29 22:37:54 +0000, Dimitri van Heesch wrote:

Thanks, I'll include the patch in the next subversion update.

On 2011-03-28 14:19:32 +0000, Dimitri van Heesch wrote:

This bug was previously marked ASSIGNED, which means it should be fixed in
doxygen version 1.7.4. Please verify if this is indeed the case. Reopen the
bug if you think it is not fixed and please include any additional information
that you think can be relevant.

@doxygen doxygen closed this Jul 2, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment