View Issue Details

IDProjectCategoryView StatusLast Update
0000634LDMud 3.3Portabilitypublic2009-05-10 12:55
Reporterzesstra Assigned Tozesstra  
Status resolvedResolutionfixed 
Platformx86_64OSMacOS XOS Version10.5.x
Product Version3.3.718 
Target Version3.3.719Fixed in Version3.3.719 
Summary0000634: Overflow of number_buffer in object.c
Descriptionsave_svalue() in object.c uses the static buffer number_buffer to store a textual representation of numbers. sprintf() is used to write into the buffer. Its size is 36, which should be sufficient for even 64 bit integers and our floats.
But Gnomi noticed, that the buffer size was not sufficient in one case, where the exponent of a float was printed as 32 bit integer (0xffffffff).

1) This should IMHO not happen.
2) The buffer should only be written with a sprintfn(...,sizeof(number_buffer),...)
to prevent such overflows.
TagsNo tags attached.



2009-05-10 12:55

administrator   ~0001093

Fixed in r2579 by writing the exponent as a uint16_t.

I could not reproduce the issue, but Gnomi found out, that on his system (glibc-...) PRIx16 was defined to be %x, although int16_t is a short on that system. This is plain wrong according to the manpage of sprintf. Despite this, SCNx16 is %hx.
Additionally all sprintf(), which write into number_buffer were replaced by snprintf().

Issue History

Date Modified Username Field Change
2009-05-05 15:49 zesstra New Issue
2009-05-05 15:49 zesstra Status new => assigned
2009-05-05 15:49 zesstra Assigned To => zesstra
2009-05-05 15:49 zesstra Project LDMud => LDMud 3.3
2009-05-10 12:55 zesstra Note Added: 0001093
2009-05-10 12:55 zesstra Status assigned => resolved
2009-05-10 12:55 zesstra Fixed in Version => 3.3.719
2009-05-10 12:55 zesstra Resolution open => fixed