storm/w3m
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix potential heap buffer corruption due to Strgrow

Browse Source 
If Str.length = 5 and area_size = 6, the result of Strgrow is still
area_size = 6. For such case, Strcat_char and Strinsert_char will
overflow one byte.
This commit is contained in:
Kuang-che Wu
2016-08-30 08:32:00 +08:00
parent e79a099442
commit c95a43dc92
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Str.c
View File

@@ -232,8 +232,8 @@ Strgrow(Str x)
{ {
char *old = x->ptr; char *old = x->ptr;
int newlen; int newlen;
newlen = x->length * 6 / 5; newlen = x->area_size * 6 / 5;
if (newlen == x->length) if (newlen == x->area_size)
newlen += 2; newlen += 2;
x->ptr = GC_MALLOC_ATOMIC(newlen); x->ptr = GC_MALLOC_ATOMIC(newlen);
x->area_size = newlen; x->area_size = newlen;