From dbf8f93be4d013f655900505c936104babaf6ac8 Mon Sep 17 00:00:00 2001 From: Simon Arlott Date: Wed, 28 Jun 2023 08:09:37 +0100 Subject: [PATCH] Fix assumption in gnc_num_dbg_to_string() If the size of "buff" is not evenly divisible by "size" then this would allocate off the end of the buffer. That's not currently the case but the calculation shouldn't do this. Change it to check there's actually enough space. --- libgnucash/engine/gnc-numeric.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/libgnucash/engine/gnc-numeric.cpp b/libgnucash/engine/gnc-numeric.cpp index 6507e957a2..0a1de32b99 100644 --- a/libgnucash/engine/gnc-numeric.cpp +++ b/libgnucash/engine/gnc-numeric.cpp @@ -1290,12 +1290,12 @@ gnc_num_dbg_to_string(gnc_numeric n) { static char buff[1000]; static char *p = buff; - static const uint64_t size = 50; + static const size_t size = 50; int64_t tmpnum = n.num; int64_t tmpdenom = n.denom; p += size; - if (p - buff >= 1000) p = buff; + if ((size_t)(p - buff) > sizeof(buff) - size) p = buff; snprintf(p, size, "%" PRId64 "/%" PRId64, tmpnum, tmpdenom);