diff options
author | Hanno Boeck <hanno@hboeck.de> | 2016-01-27 15:10:11 +0100 |
---|---|---|
committer | Guillem Jover <guillem@hadrons.org> | 2016-01-27 15:24:50 +0100 |
commit | c8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 (patch) | |
tree | fd1467c416fe9f05956a3d77e302930344b5a3e8 | |
parent | 008316aa291e0930eba067ed7b0772d0009813b0 (diff) |
Fix heap buffer overflow in fgetwln()
In the function fgetwln() there's a 4 byte heap overflow.
There is a while loop that has this check to see whether there's still
enough space in the buffer:
if (!fb->len || wused > fb->len) {
If this is true more memory gets allocated. However this test won't be
true if wused == fb->len, but at that point wused already points out
of the buffer. Some lines later there's a write to the buffer:
fb->wbuf[wused++] = wc;
This bug was found with the help of address sanitizer.
Warned-by: ASAN
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
Signed-off-by: Guillem Jover <guillem@hadrons.org>
-rw-r--r-- | src/fgetwln.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/fgetwln.c b/src/fgetwln.c index 9ee0776..aa3f927 100644 --- a/src/fgetwln.c +++ b/src/fgetwln.c @@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp) fb->fp = stream; while ((wc = fgetwc(stream)) != WEOF) { - if (!fb->len || wused > fb->len) { + if (!fb->len || wused >= fb->len) { wchar_t *wp; if (fb->len) |