Fix snprintf buffer overflow bug (#4465)

Summary:
The contract of snprintf says that it returns "The number of characters that would have been written if n had been sufficiently large" http://www.cplusplus.com/reference/cstdio/snprintf/
The existing code however was assuming that the return value is the actual number of written bytes and uses that to reposition the starting point on the next call to snprintf. This leads to buffer overflow when the last call to snprintf has filled up the buffer.
Pull Request resolved: https://github.com/facebook/rocksdb/pull/4465

Differential Revision: D10224080

Pulled By: maysamyabandeh

fbshipit-source-id: 40f44e122d15b0db439812a0a361167cf012de3e
main
Maysam Yabandeh 6 years ago committed by Facebook Github Bot
parent e13d8dcbbb
commit 1fb6805527
  1. 2
      db/compaction.cc

@ -331,12 +331,14 @@ const char* Compaction::InputLevelSummary(
if (!is_first) { if (!is_first) {
len += len +=
snprintf(scratch->buffer + len, sizeof(scratch->buffer) - len, " + "); snprintf(scratch->buffer + len, sizeof(scratch->buffer) - len, " + ");
len = std::min(len, static_cast<int>(sizeof(scratch->buffer)));
} else { } else {
is_first = false; is_first = false;
} }
len += snprintf(scratch->buffer + len, sizeof(scratch->buffer) - len, len += snprintf(scratch->buffer + len, sizeof(scratch->buffer) - len,
"%" ROCKSDB_PRIszt "@%d", input_level.size(), "%" ROCKSDB_PRIszt "@%d", input_level.size(),
input_level.level); input_level.level);
len = std::min(len, static_cast<int>(sizeof(scratch->buffer)));
} }
snprintf(scratch->buffer + len, sizeof(scratch->buffer) - len, snprintf(scratch->buffer + len, sizeof(scratch->buffer) - len,
" files to L%d", output_level()); " files to L%d", output_level());

Loading…
Cancel
Save