swprintf does not guarantee NUL termination
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
glibc (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
The C99 specification states for swprintf (section 7.24.2.3):
> The swprintf function is equivalent to fwprintf, except that the argument s specifies an array of wide characters into which the generated output is to be written, rather than written to a stream. No more than n wide characters are written, including a terminating null wide character, which is always added (unless n is zero).
My interpretation that "always" includes failure, including truncation error. However, it appears that swprintf from glibc does NOT NUL-terminate on truncation. (I am using glibc 2.24 and gcc 6.3.0 20170406 from an Ubuntu 17.04 x64 (desktop) live CD.)
I have attached sample code that exhibits this problem. The output I expect is:
ret: -1 buf: 68 0
but instead I get:
ret: -1 buf: 68 cacacaca
(I do get the expected behavior with libc on FreeBSD and macOS.)
This still occurs with glibc 2.27-3ubuntu1 from Ubuntu 18.04.1 LTS x64.