Buffer overflow in pspDebugScreenPrintf()

[bronsky]

Hello all,

I'm not sure of where to post bug reports, hope i'm at the right place...

I found a buffer overflow problem in the pspDebugScreenPrintf() function. You can observe it by trying to output a string of more than 2048 characters with that function: the end (and possibly all) of the displaying will be totally messy.

I took a look at the file scr_printf.c and seen that pspDebugScreenPrintf() asks vsnprintf() to do the formatting stuff and considers that the return value is the number of characters actually printed, as specified in C89. But in C99, the return value is now the number of characters that WOULD HAVE been printed if the length of the preallocated buffer would have been sufficient. So the pspDebugScreenPrintData() then issues a buffer overflow by considering the size passed in parameter as being the actual size of the buffer.

So I think that it would be better to not use the return value of vsnprintf(), and call pspDebugScreenPrintData() like that:

Code: Select all

(void) pspDebugScreenPrintData(buff, sizeof(buff));

That way the data will just be truncated.

Hope this can help...

[bronsky]

Humm after consideration maybe this will be better:

Code: Select all

(void) pspDebugScreenPrintData(buff, strlen(buff));

[TyRaNiD]

Very true, it probably shouldn't be so stupid to try and print the length of characters it _should_ be, but then again do you really need to print 2048 characters in one run? I'll look at making sure it fixes it though :)

[moonlight]

Wow! 2048 chars at a time. Are you printing an encyclopedia? :p

[bronsky]

Hehe... yeah it's somewhat violent, but it was for debug purpose : I wanted to display in text mode a png file and I put all the stuff in one string instead of doing one printf per line... I don't do such weird things in final code! :)