Do not use unsafe sprintf w/variable length input

This can cause a buffer overflow to occur when reporting error message about validation of (untrusted) user input parameters.
perl5-dbi · Oct 2, 2016 · 7c164a0 · 7c164a0
1 parent 9162255
commit 7c164a0
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/dbdimp.c b/dbdimp.c
@@ -4783,7 +4783,7 @@ int dbd_bind_ph(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
   int rc;
   int param_num= SvIV(param);
   int idx= param_num - 1;
-  char err_msg[64];
+  char *err_msg;
   D_imp_xxh(sth);
 
 #if MYSQL_VERSION_ID >= SERVER_PREPARE_VERSION
@@ -4826,9 +4826,9 @@ int dbd_bind_ph(SV *sth, imp_sth_t *imp_sth, SV *param, SV *value,
   {
     if (! looks_like_number(value))
     {
-      sprintf(err_msg,
+      err_msg = SvPVX(sv_2mortal(newSVpvf(
               "Binding non-numeric field %d, value %s as a numeric!",
-              param_num, neatsvpv(value,0));
+              param_num, neatsvpv(value,0))));
       do_error(sth, JW_ERR_ILLEGAL_PARAM_NUM, err_msg, NULL);
     }
   }