48 len = vsnprintf(msg, 2048, format, args);
49 va_end(args);
50
51 // Get rid of newline at the end.
52 if (msg[len-1] == '\n') {
53 len--;
54 msg[len] = 0x0;
55 }
when input format and args will produce a long line longer than 2048 bytes , vsnprintf's return value len is
the number of characters which would have been written to the final string if enough space had been available.
so line 52 msg[len] = 0x0; caused a stack-buffer-overflow
RETURN VALUE
Upon successful return, these functions return the number of characters printed (excluding the null byte used to end output to strings).
The functions snprintf() and vsnprintf() do not write more than size bytes (including the terminating null byte ('\0')). If the output was truncated due to this
limit, then the return value is the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space
had been available. Thus, a return value of size or more means that the output was truncated. (See also below under NOTES.)
If an output error is encountered, a negative value is returned.
at src/tracer.hxx:52
when input format and args will produce a long line longer than 2048 bytes , vsnprintf's return value
lenisso line 52
msg[len] = 0x0;caused astack-buffer-overflowhttps://man7.org/linux/man-pages/man3/printf.3.html#RETURN_VALUE