From d3db2da1d13bd2419370ad96defb92eecb17064c Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Mon, 9 Aug 2021 17:42:29 +0200
Subject: Fix --logfile and message truncation issue.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Regression in 6.4.20's security fix (Git commit c546c829).

We doubly incremented partial_message_size_used on modern systems
(stdard.h/vsnprintf), once in report_vbuild() and then again in
report_build(), so the 2nd and subsequent report_build() fragments
landed too late in the buffer.  This will not cause overruns due to the
reallocation prior to the vsnprintf/sprintf, but it write starts behind
the '\0' byte, instead of right over it, so the string also gets
truncated to the first fragment written with report_vbuild().

Fix by moving the increment back into the #else...#endif part that does
not use report_vbuild().

Reported by: Jürgen Edner, Erik Christiansen
---
 report.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'report.c')

diff --git a/report.c b/report.c
index aea6b3ea..2db7d0a9 100644
--- a/report.c
+++ b/report.c
@@ -286,10 +286,11 @@ report_build (FILE *errfp, message, va_alist)
     n = snprintf (partial_message + partial_message_size_used,
 		    partial_message_size - partial_message_size_used,
 		    message, a1, a2, a3, a4, a5, a6, a7, a8);
-#endif
 
     if (n > 0) partial_message_size_used += n;
 
+#endif
+
     if (unbuffered && partial_message_size_used != 0)
     {
 	partial_message_size_used = 0;
-- 
cgit v1.2.3