Yes, I just mean the incorrect format string of fmt, it can be dangerous.

Valentin V. Bartenev <vbart@nginx.com> 于2018年11月10日周六 下午8:29写道：

> On Saturday, 10 November 2018 15:16:35 MSK wy7980 wrote:
> > # HG changeset patch
> > # User wy7980 <wy7980@gmail.com>
> > # Date 1541824641 -28800
> > # Sat Nov 10 12:37:21 2018 +0800
> > # Node ID e93ac0fd29c1f49e7dd49ff5e1efd58c009d359a
> > # Parent a2506436986ae9cf941fd9477aa77e28f501e11d
> >
> > fix bug of fmt overflow
> >
> > diff -r a2506436986a -r e93ac0fd29c1 src/core/ngx_string.c
> > --- a/src/core/ngx_string.c Tue Nov 06 16:32:09 2018 +0300
> > +++ b/src/core/ngx_string.c Sat Nov 10 12:37:21 2018 +0800
> > @@ -172,8 +172,9 @@
> > ngx_uint_t width, sign, hex, max_width, frac_width,
> scale,
> > n;
> > ngx_str_t *v;
> > ngx_variable_value_t *vv;
> > -
> > - while (*fmt && buf < last) {
> > + char *fmt_last = (char *)fmt + strlen(fmt);
> > +
> > + while (*fmt && buf < last && fmt < fmt_last) {
> >
> > /*
> > * "buf < last" means that we could copy at least one character:
> >
>
>
> Could you clarify what bug you are trying to fix?
> There should be no overflows unless you specified an incorrect format
> string.
>
> wbr, Valentin V. Bartenev
>
>
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel