diff options
authorHanno Boeck <>2016-01-27 15:10:11 +0100
committerGuillem Jover <>2016-01-27 15:24:50 +0100
commitc8f0723d2b4520bdd6b9eb7c3e7976de726d7ff7 (patch)
parent008316aa291e0930eba067ed7b0772d0009813b0 (diff)
Fix heap buffer overflow in fgetwln()
In the function fgetwln() there's a 4 byte heap overflow. There is a while loop that has this check to see whether there's still enough space in the buffer: if (!fb->len || wused > fb->len) { If this is true more memory gets allocated. However this test won't be true if wused == fb->len, but at that point wused already points out of the buffer. Some lines later there's a write to the buffer: fb->wbuf[wused++] = wc; This bug was found with the help of address sanitizer. Warned-by: ASAN Fixes: Signed-off-by: Guillem Jover <>
1 files changed, 1 insertions, 1 deletions
diff --git a/src/fgetwln.c b/src/fgetwln.c
index 9ee0776..aa3f927 100644
--- a/src/fgetwln.c
+++ b/src/fgetwln.c
@@ -60,7 +60,7 @@ fgetwln(FILE *stream, size_t *lenp)
fb->fp = stream;
while ((wc = fgetwc(stream)) != WEOF) {
- if (!fb->len || wused > fb->len) {
+ if (!fb->len || wused >= fb->len) {
wchar_t *wp;
if (fb->len)