CDRIVER-2595 buffer underflow in bson_snprintf

Calling bson_snprintf with size 0 would write one byte before the start
of the destination string.

Author: ajdavis

src/libbson/src/bson/bson-string.c

@@ -608,10 +608,11 @@ bson_vsnprintf (char *str,          /* IN */
 
    BSON_ASSERT (str);
 
-   if (size != 0) {
-      r = _vsnprintf_s (str, size, _TRUNCATE, format, ap);
+   if (size == 0) {
+      return 0;
    }
 
+   r = _vsnprintf_s (str, size, _TRUNCATE, format, ap);
    if (r == -1) {
       r = _vscprintf (format, ap);
    }
@@ -622,6 +623,12 @@ bson_vsnprintf (char *str,          /* IN */
 #else
    int r;
 
+   BSON_ASSERT (str);
+
+   if (size == 0) {
+      return 0;
+   }
+
    r = vsnprintf (str, size, format, ap);
    str[size - 1] = '\0';
    return r;

src/libbson/tests/test-string.c

@@ -285,6 +285,17 @@ test_bson_strncpy (void)
 }
 
 
+static void
+test_bson_snprintf (void)
+{
+   char buf[] = "ab";
+
+   /* CDRIVER-2595 make sure snprintf with size 0 doesn't write to buf[-1] */
+   ASSERT_CMPINT (bson_snprintf (buf + 1, 0, "%d", 1), ==, 0);
+   ASSERT_CMPSTR (buf, "ab");
+}
+
+
 static void
 test_bson_strcasecmp (void)
 {
@@ -309,6 +320,7 @@ test_string_install (TestSuite *suite)
    TestSuite_Add (suite, "/bson/string/strndup", test_bson_strndup);
    TestSuite_Add (suite, "/bson/string/ascii_strtoll", test_bson_ascii_strtoll);
    TestSuite_Add (suite, "/bson/string/strncpy", test_bson_strncpy);
+   TestSuite_Add (suite, "/bson/string/snprintf", test_bson_snprintf);
    TestSuite_Add (suite, "/bson/string/strnlen", test_bson_strnlen);
    TestSuite_Add (suite, "/bson/string/strcasecmp", test_bson_strcasecmp);
 }