Curl_ssl_push_certinfo_len: don't %.*s non-zero-terminated string

Our own printf() replacement clearly can't properly handle %.*s with a string that isn't zero terminated. Instead of fixing the printf code or even figuring out what the proper posix behavior is, I reverted this piece of the code back to the previous version where it does malloc + memcpy instead. Regression added in e839446c2a, released in curl 7.32.0. Reported-by: Felix Yan Bug: http://curl.haxx.se/bug/view.cgi?id=1295
2013-11-05 09:56:18 +01:00 · 2013-11-05 09:56:18 +01:00 · 5aa290f0f2
parent f0831f7931
commit 5aa290f0f2
1 changed files with 15 additions and 2 deletions
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@ -611,6 +611,9 @@ int Curl_ssl_init_certinfo(struct SessionHandle * data,
  return 0;
 }

+/*
+ * 'value' is NOT a zero terminated string
+ */
 CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data,
                                    int certnum,
                                    const char *label,
@ -621,12 +624,22 @@ CURLcode Curl_ssl_push_certinfo_len(struct SessionHandle *data,
  char * output;
  struct curl_slist * nl;
  CURLcode res = CURLE_OK;
+  size_t labellen = strlen(label);
+  size_t outlen = labellen + 1 + valuelen + 1; /* label:value\0 */

-  /* Add an information record for a particular certificate. */
-  output = curl_maprintf("%s:%.*s", label, valuelen, value);
+  output = malloc(outlen);
  if(!output)
    return CURLE_OUT_OF_MEMORY;

+  /* sprintf the label and colon */
+  snprintf(output, outlen, "%s:", label);
+
+  /* memcpy the value (it might not be zero terminated) */
+  memcpy(&output[labellen+1], value, valuelen);
+
+  /* zero terminate the output */
+  output[labellen + 1 + valuelen] = 0;
+
  nl = Curl_slist_append_nodup(ci->certinfo[certnum], output);
  if(!nl) {
    free(output);