|
Message-ID: <20151024204339.GA1352@nyan> Date: Sat, 24 Oct 2015 22:43:39 +0200 From: Felix Janda <felix.janda@...teo.de> To: musl@...ts.openwall.com Subject: [PATCH] Fix off-by-one buffer overflow in getdelim when deciding whether to resize the buffer, the terminating null byte was not taken into account --- src/stdio/getdelim.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c index a88c393..3077490 100644 --- a/src/stdio/getdelim.c +++ b/src/stdio/getdelim.c @@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric for (;;) { z = memchr(f->rpos, delim, f->rend - f->rpos); k = z ? z - f->rpos + 1 : f->rend - f->rpos; - if (i+k >= *n) { + if (i+k+1 >= *n) { if (k >= SIZE_MAX/2-i) goto oom; *n = i+k+2; if (*n < SIZE_MAX/4) *n *= 2; -- 2.4.9
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.