Share via


Buffer Overflow

 

The new home for Visual Studio documentation is Visual Studio 2017 Documentation on docs.microsoft.com.

Varying character sizes can cause problems when you put characters into a buffer. Consider the following code, which copies characters from a string, sz, into a buffer, rgch:

cb = 0;  
while( cb < sizeof( rgch ) )  
    rgch[ cb++ ] = *sz++;  

The question is: Was the last byte copied a lead byte? The following does not solve the problem because it can potentially overflow the buffer:

cb = 0;  
while( cb < sizeof( rgch ) )  
{  
    _mbccpy( rgch + cb, sz );  
    cb += _mbclen( sz );  
    sz = _mbsinc( sz );  
}  

The _mbccpy call attempts to do the correct thing — copy the full character, whether it is 1 or 2 bytes. But it does not take into account that the last character copied might not fit the buffer if the character is 2 bytes wide. The correct solution is:

cb = 0;  
while( (cb + _mbclen( sz )) <= sizeof( rgch ) )  
{  
    _mbccpy( rgch + cb, sz );  
    cb += _mbclen( sz );  
    sz = _mbsinc( sz );  
}  

This code tests for possible buffer overflow in the loop test, using _mbclen to test the size of the current character pointed to by sz. By making a call to the _mbsnbcpy function, you can replace the code in the while loop with a single line of code. For example:

_mbsnbcpy( rgch, sz, sizeof( rgch ) );  

See Also

MBCS Programming Tips