mirrors/musl
1
0
Fork 0
mirror of https://git.musl-libc.org/git/musl synced 2025-01-23 22:52:23 +03:00
Code Issues Packages Projects Releases Wiki Activity

fix single-byte overflow of malloc'd buffer in getdelim

Browse Source 
the buffer enlargement logic here accounted for the terminating null
byte, but not for the possibility of hitting the delimiter in the
buffer-refill code path that uses getc_unlocked, in which case two
additional bytes (the delimiter and the null termination) are written
without another chance to enlarge the buffer.

this patch and the corresponding bug report are by Felix Janda.
This commit is contained in:
Rich Felker 2015-10-24 22:42:10 -04:00
parent bc0c48414e
commit b114190b29
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/stdio/getdelim.c
View File

@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
for (;;) {
z = memchr(f->rpos, delim, f->rend - f->rpos);
k = z ? z - f->rpos + 1 : f->rend - f->rpos;
if (i+k >= *n) {
if (i+k+1 >= *n) {
if (k >= SIZE_MAX/2-i) goto oom;
*n = i+k+2;
if (*n < SIZE_MAX/4) *n *= 2;