riscv
/
musl
mirror of https://git.musl-libc.org/git/musl
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

fix single-byte overflow of malloc'd buffer in getdelim 

the buffer enlargement logic here accounted for the terminating null
byte, but not for the possibility of hitting the delimiter in the
buffer-refill code path that uses getc_unlocked, in which case two
additional bytes (the delimiter and the null termination) are written
without another chance to enlarge the buffer.

this patch and the corresponding bug report are by Felix Janda.
master
Rich Felker 11 years ago
parent
bc0c48414e
commit
b114190b29
1 changed files with 1 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      src/stdio/getdelim.c

2
src/stdio/getdelim.c
View File

@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
for (;;) {
z = memchr(f->rpos, delim, f->rend - f->rpos);
k = z ? z - f->rpos + 1 : f->rend - f->rpos;
if (i+k >= *n) {
if (i+k+1 >= *n) {
if (k >= SIZE_MAX/2-i) goto oom;
*n = i+k+2;
if (*n < SIZE_MAX/4) *n *= 2;

Write Preview
Loading…
Cancel
Save