Skip to content

Commit 7c164a0

Browse files
palimbeijen
authored andcommitted
Do not use unsafe sprintf w/variable length input
This can cause a buffer overflow to occur when reporting error message about validation of (untrusted) user input parameters.
1 parent 9162255 commit 7c164a0

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

Diff for: dbdimp.c

+3-3
Original file line numberDiff line numberDiff line change
@@ -4783,7 +4783,7 @@ int dbd_bind_ph(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
47834783
int rc;
47844784
int param_num= SvIV(param);
47854785
int idx= param_num - 1;
4786-
char err_msg[64];
4786+
char *err_msg;
47874787
D_imp_xxh(sth);
47884788

47894789
#if MYSQL_VERSION_ID >= SERVER_PREPARE_VERSION
@@ -4826,9 +4826,9 @@ int dbd_bind_ph(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
48264826
{
48274827
if (! looks_like_number(value))
48284828
{
4829-
sprintf(err_msg,
4829+
err_msg = SvPVX(sv_2mortal(newSVpvf(
48304830
"Binding non-numeric field %d, value %s as a numeric!",
4831-
param_num, neatsvpv(value,0));
4831+
param_num, neatsvpv(value,0))));
48324832
do_error(sth, JW_ERR_ILLEGAL_PARAM_NUM, err_msg, NULL);
48334833
}
48344834
}

0 commit comments

Comments
 (0)