[Webkit-unassigned] [Bug 140917] New: Windows return -1 when calling vsnprintf with arguments that exceed target buffer size

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 26 19:05:38 PST 2015 

https://bugs.webkit.org/show_bug.cgi?id=140917

            Bug ID: 140917
           Summary: Windows return -1 when calling vsnprintf with
                    arguments that exceed target buffer size
    Classification: Unclassified
           Product: WebKit
           Version: 528+ (Nightly build)
          Hardware: PC
                OS: Windows 7
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: Web Template Framework
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: nakim at ea.com

According to https://msdn.microsoft.com/en-us/library/1kt27hek.aspx windows return -1 when calling vsnprintf with arguments that exceed target buffer size.

e.g.)

   char buf[5];
   int return = vsnprintf(buf, 5, "%s", "0123456789");

This API return -1 while other platforms (linux, bsd) return 10 instead. Other platform's reference can be found below.

bsd - https://developer.apple.com/library/mac/documentation/Darwin/Reference/ManPages/man3/vsnprintf.3.html
linux - http://man7.org/linux/man-pages/man3/vsnprintf.3.html

I found this bug while testing JSC::Profiler::Database which announced in https://docs.google.com/document/d/18MQU5Dm31g4cVweuQuGofQAxfbenAAsE_njeTUuKOVA/edit from windows platform. Current WebKit's vsnprintf use looks safe to not overflow the buffer. But when this profiler tries to dump its source code by using WTF::StringPrintStream::toCString(), windows' vsnprintf's -1 return value eventually *broke* WTF::StringPrintStream::vprintf() function's buffer grow logic. Since WTF::StringPrintStream::toCString() buffer grow logic depends to other (linux, bsd) platform's vsnprintf behavior, we need to fix return value of wtf_vsnprintf (which is windows' polyfill of vsnprintf) to same as other platform.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20150127/231c79a8/attachment-0002.html>

More information about the webkit-unassigned mailing list