From 41f2ea4045b183b7e2d0c5f61d7ab7958267122e Mon Sep 17 00:00:00 2001 From: Campbell Barton Date: Thu, 27 May 2021 17:16:08 +1000 Subject: Fix incorrect BLI_snprintf usage Event though in practice this wasn't causing problems as the fixed size buffers are generally large enough not to truncate text. Using the result from `snprint` or `BLI_snprintf` to step over a fixed size buffer allows for buffer overruns as the returned value is the size needed to copy the entire string, not the number of bytes copied. Building strings using this convention with multiple calls: ofs += BLI_snprintf(str + ofs, str_len_max - ofs); .. caused the size argument to become negative, wrapping it to a large value when cast to the unsigned argument. --- source/blender/blenlib/intern/timecode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'source/blender/blenlib') diff --git a/source/blender/blenlib/intern/timecode.c b/source/blender/blenlib/intern/timecode.c index 9586da941a4..7d7436411ac 100644 --- a/source/blender/blenlib/intern/timecode.c +++ b/source/blender/blenlib/intern/timecode.c @@ -216,10 +216,10 @@ size_t BLI_timecode_string_from_time_simple(char *str, const int hun = ((int)(fmod(time_seconds, 1.0) * 100)); if (hr) { - rlen = BLI_snprintf(str, maxncpy, "%.2d:%.2d:%.2d.%.2d", hr, min, sec, hun); + rlen = BLI_snprintf_rlen(str, maxncpy, "%.2d:%.2d:%.2d.%.2d", hr, min, sec, hun); } else { - rlen = BLI_snprintf(str, maxncpy, "%.2d:%.2d.%.2d", min, sec, hun); + rlen = BLI_snprintf_rlen(str, maxncpy, "%.2d:%.2d.%.2d", min, sec, hun); } return rlen; -- cgit v1.2.3