[UDUNITS #XTH-607581]: Buffer overrun in ut_format

Alex,

> Thank you for your reply.  My problem is that on my platform, if the
> format buffer is too small, I often get a segfault instead of an error
> code.  With the error code, even a -1 instead of a required size, I
> could double the size of my format buffer and try again. But as it is
> there is no guarantee that my format buffer will not be too small for
> the formatted unit, leading to buffer overrun.
> 
> What workaround would you recommend for users with C99-compliant
> sprintf? I could run through all the possible format output to find
> the maximum possible size with the standard XML unit database.  I
> could still get overruns if users use ut_map_name_to_unit, but I
> suppose I could live with this possibility.

I recommend that you always check the number of bytes returned by ut_format() 
and if it's greater than or equal to the size of the buffer, then consider it 
an error.

I just released a new version that should treat snprintf() calls more 
rigorously (there were some other changes that had to be made).

> Would it be possible to update the C API docs to indicate that the
> return value from ut_format depends on the platform's implementation
> of sprintf?

The documentation on ut_format() has been updated. It now reads

On success, this function returns either the number of bytes – excluding the 
terminating NUL – that were written into buf or the number of bytes that would 
have been written. The difference is due to the the runtime snprinf() function 
that was used. 

> Thanks for dealing with this.
> 
> Best regards,
> 
> Alex


Regards,
Steve Emmerson

Ticket Details
===================
Ticket ID: XTH-607581
Department: Support UDUNITS
Priority: Normal
Status: Closed