Plan 9's implementation of the standard C functions snprintf and
vsnprintf have a buffer overrun bug.
If the buffer length equals the output length (without the terminating
null), then one too many characters is written to the buffer.
For example,
snprintf(buf, 4, "ABCD");
will write 5 characters to buf.
Attached is a short program to illustrate this, which gives the
following output :-
% 8c printftest.c && 8l printftest.8
% ./8.out
A B C D \0 * * * * * * * * * * *
#include <u.h>
#include <libc.h>
#include <stdio.h>
void main()
{
char buf[16];
int i;
memset(buf, '*', sizeof(buf));
snprintf(buf, 4, "ABCD");
for (i = 0; i < sizeof(buf); ++i) {
if (buf[i])
print(" %c ", buf[i]);
else
print(" \\0");
}
print("\n");
}
