2013.08.01 09:21 "[Tiff] Vulnerabilities in libtiff 4.0.3", by Pedro Ribeiro

2013.09.20 17:02 "Re: [Tiff] Vulnerabilities in libtiff 4.0.3", by Bob Friesenhahn

The snprintf man page says:

        The functions snprintf() and vsnprintf() write at most size

bytes (including the trailing null byte ('\0')) to str.

        The trailing null byte is added to str, unless size is zero.

Is it wrong? What am I missing?

snprintf always writes the number of bytes specified by size. If the string is smaller than size, then the remaining space is filled with zero bytes. If the string is exactly size, then no null termination is added at all. For this reason, it is always necessary to follow up an snprintf with a write of zero to the last byte in the array to assure that it is a valid null-terminated C string. There are some cases (e.g. specific file formats) where the buffer is not required to be null-terminated since the reader is required to read only up to N bytes.

Bob Friesenhahn
bfriesen@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/