http://bugs.winehq.org/show_bug.cgi?id=6677

Summary: Buffer overflows in the msvcrt *printf family Product: Wine Version: CVS Platform: All OS/Version: All Status: UNCONFIRMED Severity: normal Priority: P2 Component: wine-msvcrt AssignedTo: wine-bugs@winehq.org ReportedBy: samuel.howard.dennis@gmail.com

Numeric formats used with a large specified precision or very large floats will cause buffer overflows in msvcrt.*printf.

There are safeguards of sorts in pf_vsnprintf but they only check the field width, which is not even relevant for one of the two cases as the 64-bit integer code uses the (safe) pf_fill function to expand the number. (Checking flags.Precision here instead of flags.FieldWidth when deciding whether to dynamically allocate memory for the representation of the number before padding and changing the behaviour of pf_integer_conv, which is also unsafe, would eliminate this buffer overflow.)

The other case is more complicated, as a formatting string is reconstructed and sent to the system sprintf. The 40 character buffer allocated (unless a larger minimum field width is specified) can easily be overrun with large floating point value converted with the 'f' specifier, for example, or again any value if the precision given is large. More advanced calculations or use of snprintf is required.

Additionally, when extra memory is allocated, pf_vsnprintf uses the pointer to the static buffer instead of the dynamically allocated one in the HeapFree call.