diff options
author | Rich Felker <dalias@aerifal.cx> | 2015-10-24 22:42:10 -0400 |
---|---|---|
committer | Rich Felker <dalias@aerifal.cx> | 2015-10-24 22:42:10 -0400 |
commit | b114190b29417fff6f701eea3a3b3b6030338280 (patch) | |
tree | 4002d6485371fe07fd26952d638cc0b938d34641 /src/stdio | |
parent | bc0c48414eaba9e974e54aa8ef611b78037fd387 (diff) | |
download | musl-b114190b29417fff6f701eea3a3b3b6030338280.tar.gz musl-b114190b29417fff6f701eea3a3b3b6030338280.tar.bz2 musl-b114190b29417fff6f701eea3a3b3b6030338280.tar.xz musl-b114190b29417fff6f701eea3a3b3b6030338280.zip |
fix single-byte overflow of malloc'd buffer in getdelim
the buffer enlargement logic here accounted for the terminating null
byte, but not for the possibility of hitting the delimiter in the
buffer-refill code path that uses getc_unlocked, in which case two
additional bytes (the delimiter and the null termination) are written
without another chance to enlarge the buffer.
this patch and the corresponding bug report are by Felix Janda.
Diffstat (limited to 'src/stdio')
-rw-r--r-- | src/stdio/getdelim.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c index a88c3933..30774908 100644 --- a/src/stdio/getdelim.c +++ b/src/stdio/getdelim.c @@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric for (;;) { z = memchr(f->rpos, delim, f->rend - f->rpos); k = z ? z - f->rpos + 1 : f->rend - f->rpos; - if (i+k >= *n) { + if (i+k+1 >= *n) { if (k >= SIZE_MAX/2-i) goto oom; *n = i+k+2; if (*n < SIZE_MAX/4) *n *= 2; |