generic-library/libbsd
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/libbsd/libbsd.git synced 2025-01-09 03:08:38 +01:00
Code Issues Projects Releases Wiki Activity

Fix heap buffer overflow in fgetwln()

Browse Source 
In the function fgetwln() there's a 4 byte heap overflow.

There is a while loop that has this check to see whether there's still
enough space in the buffer:

		if (!fb->len || wused > fb->len) {

If this is true more memory gets allocated. However this test won't be
true if wused == fb->len, but at that point wused already points out
of the buffer. Some lines later there's a write to the buffer:

		fb->wbuf[wused++] = wc;

This bug was found with the help of address sanitizer.

Warned-by: ASAN
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
Signed-off-by: Guillem Jover <guillem@hadrons.org>
This commit is contained in:
Hanno Boeck 2016-01-27 15:10:11 +01:00 committed by Guillem Jover
parent 008316aa29
commit c8f0723d2b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/fgetwln.c
View File

@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
fb->fp = stream;
while ((wc = fgetwc(stream)) != WEOF) {
if (!fb->len || wused > fb->len) {
if (!fb->len || wused >= fb->len) {
wchar_t *wp;
if (fb->len)