Skip to content
Permalink
Browse files Browse the repository at this point in the history
Issue #767: Buffer overflow printing a filename
The safe_fprintf function attempts to ensure clean output for an
arbitrary sequence of bytes by doing a trial conversion of the
multibyte characters to wide characters -- if the resulting wide
character is printable then we pass through the corresponding bytes
unaltered, otherwise, we convert them to C-style ASCII escapes.

The stack trace in Issue #767 suggest that the 20-byte buffer
was getting overflowed trying to format a non-printable multibyte
character.  This should only happen if there is a valid multibyte
character of more than 5 bytes that was unprintable.  (Each byte
would get expanded to a four-charcter octal-style escape of the form
"\123" resulting in >20 characters for the >5 byte multibyte character.)

I've not been able to reproduce this, but have expanded the conversion
buffer to 128 bytes on the belief that no multibyte character set
has a single character of more than 32 bytes.
  • Loading branch information
kientzle committed Aug 21, 2016
1 parent 36bb164 commit e37b620
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tar/util.c
Expand Up @@ -182,7 +182,7 @@ safe_fprintf(FILE *f, const char *fmt, ...)
}

/* If our output buffer is full, dump it and keep going. */
if (i > (sizeof(outbuff) - 20)) {
if (i > (sizeof(outbuff) - 128)) {
outbuff[i] = '\0';
fprintf(f, "%s", outbuff);
i = 0;
Expand Down

0 comments on commit e37b620

Please sign in to comment.