[Libvir] [PATCH] Fix endless loop of VirBufferVSprintf()

Masayuki Sunou fj1826dm at aa.jp.fujitsu.com
Fri Aug 24 08:30:52 UTC 2007 

Hi

VirBufferVSprintf() loops endless when it receives over 2000 bytes,
because the return value of vsnprintf() is more than "size - 1".
It is because the maximum of "size" is 1999 bytes.
 --> the maximum of "buf->size - buf->use" = 2000
     (1000(argument of virBufferGrow()) + 1000(set in virBufferGrow()))

So, virBufferEscapeString() has the same problem.

This patch sets to virBufferGrow() the size of the data
which VirBufferVSprintf()(virBufferEscapeString()) received
when it is over 1000 bytes.

Signed-off-by: Masayuki Sunou <fj1826dm at aa.jp.fujitsu.com>

Thanks,
Masayuki Sunou.

----------------------------------------------------------------------
Index: src/buf.c
===================================================================
RCS file: /data/cvs/libvirt/src/buf.c,v
retrieving revision 1.3
diff -u -p -r1.3 buf.c
--- src/buf.c	9 Jul 2007 11:24:52 -0000	1.3
+++ src/buf.c	24 Aug 2007 05:56:37 -0000
@@ -159,7 +159,7 @@ virBufferContentAndFree (virBufferPtr bu
 int
 virBufferVSprintf(virBufferPtr buf, const char *format, ...)
 {
-    int size, count;
+    int size, count, grow_size;
     va_list locarg, argptr;
 
     if ((format == NULL) || (buf == NULL)) {
@@ -172,7 +172,8 @@ virBufferVSprintf(virBufferPtr buf, cons
                                locarg)) < 0) || (count >= size - 1)) {
         buf->content[buf->use] = 0;
         va_end(locarg);
-        if (virBufferGrow(buf, 1000) < 0) {
+        grow_size = (count > 1000) ? count : 1000;
+        if (virBufferGrow(buf, grow_size) < 0) {
             return (-1);
         }
         size = buf->size - buf->use - 1;
@@ -198,7 +199,7 @@ virBufferVSprintf(virBufferPtr buf, cons
 int
 virBufferEscapeString(virBufferPtr buf, const char *format, const char *str)
 {
-    int size, count, len;
+    int size, count, len, grow_size;
     char *escaped, *out;
     const char *cur;
 
@@ -248,7 +249,8 @@ virBufferEscapeString(virBufferPtr buf, 
     while (((count = snprintf(&buf->content[buf->use], size, format,
                               (char *)escaped)) < 0) || (count >= size - 1)) {
         buf->content[buf->use] = 0;
-        if (virBufferGrow(buf, 1000) < 0) {
+        grow_size = (count > 1000) ? count : 1000;
+        if (virBufferGrow(buf, grow_size) < 0) {
 	    free(escaped);
             return (-1);
         }
----------------------------------------------------------------------

More information about the libvir-list mailing list