[Spice-devel] [cacard 5/5] hex_dump: Fix buffer overflow

[Christophe Fergeau]

When printing the hexdump output, the hex_dump() function prints 5
visible chars at a time, but since it's using sprintf, it will also
print a '\0'. Since its output string are sized to be 5*number_of_chars,
this means we will overflow the output string by one character on the
last iteration. This commit ensures the output strings are properly
sized to avoid this.

Signed-off-by: Christophe Fergeau <cfergeau at redhat.com>
---
 src/common.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/common.c b/src/common.c
index 0e90b0e..b3cd981 100644
--- a/src/common.c
+++ b/src/common.c
@@ -49,11 +49,16 @@ lebytes2ushort(const unsigned char *buf)
 }
 
 #define MAX_STATIC_BYTES 1024
-static char hexdump_buffer[5*MAX_STATIC_BYTES];
+static char hexdump_buffer[5*MAX_STATIC_BYTES + 1];
 /*
  * Creates printable representation in hexadecimal format of the data
  * provided in the  buf  buffer. A static buffer will be used, which
  * can hold up to 1024 bytes (longer will get truncated).
+ *
+ * The dumping loop will print 5 visible characters at a time, but since it's
+ * using sprintf, we also need to account for the '\0' it appends to the end of
+ * the string on the last iteration, or we'll overflow the buffer we are
+ * printing to.
  */
 char *
 hex_dump(const unsigned char *buf, size_t buflen)
-- 
2.17.1