Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20151024204339.GA1352@nyan>
Date: Sat, 24 Oct 2015 22:43:39 +0200
From: Felix Janda <felix.janda@...teo.de>
To: musl@...ts.openwall.com
Subject: [PATCH] Fix off-by-one buffer overflow in getdelim

when deciding whether to resize the buffer, the terminating null byte
was not taken into account
---
 src/stdio/getdelim.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c
index a88c393..3077490 100644
--- a/src/stdio/getdelim.c
+++ b/src/stdio/getdelim.c
@@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
 	for (;;) {
 		z = memchr(f->rpos, delim, f->rend - f->rpos);
 		k = z ? z - f->rpos + 1 : f->rend - f->rpos;
-		if (i+k >= *n) {
+		if (i+k+1 >= *n) {
 			if (k >= SIZE_MAX/2-i) goto oom;
 			*n = i+k+2;
 			if (*n < SIZE_MAX/4) *n *= 2;
-- 
2.4.9

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.