2013.08.01 09:21 "[Tiff] Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

2013.09.20 17:21 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Lee Howard

On 09/20/2013 10:02 AM, Bob Friesenhahn wrote:

The snprintf man page says:

        The functions snprintf() and vsnprintf() write at most size

bytes (including the trailing null byte ('\0')) to str.

        The trailing null byte is added to str, unless size is zero.

Is it wrong? What am I missing?

snprintf always writes the number of bytes specified by size. If the string is smaller than size, then the remaining space is filled with zero bytes. If the string is exactly size, then no null termination is added at all. For this reason, it is always necessary to follow up an snprintf with a write of zero to the last byte in the array to assure that it is a valid null-terminated C string. There are some cases (e.g. specific file formats) where the buffer is not required to be null-terminated since the reader is required to read only up to N bytes.

There are several cases where snprintf is used with string input in the tools...

$ grep snprintf * | grep %s
rgb2ycbcr.c: snprintf(buf, sizeof(buf), "YCbCr conversion of %s",
tiff2bw.c: snprintf(thing, sizeof(thing), "B&W version of %s",
tiffcrop.c: snprintf(filenum, sizeof(filenum), "-%03d%s", findex,
tiffcrop.c: snprintf(temp_filename, sizeof(temp_filename),
tiffcrop.c: snprintf(temp_filename, sizeof(temp_filename),
tiffdither.c: snprintf(thing, sizeof(thing), "Dithered B&W version of
%s", argv[optind]);
tiffgt.c: snprintf(title, TITLE_LENGTH - 1, "%s [%u]",

tiffgt.c:        snprintf(title, 1024, "%s [%u] %d%%", filelist[fileindex],

Only in one instance in tiffcrop.c does the code ensure null-termination.

Is this something that you want to address, yourself?