diff options
Diffstat (limited to 'main/musl/fix-single-byte-overflow.patch')
| -rw-r--r-- | main/musl/fix-single-byte-overflow.patch | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/main/musl/fix-single-byte-overflow.patch b/main/musl/fix-single-byte-overflow.patch new file mode 100644 index 0000000000..ffc5b3551c --- /dev/null +++ b/main/musl/fix-single-byte-overflow.patch @@ -0,0 +1,32 @@ +From b114190b29417fff6f701eea3a3b3b6030338280 Mon Sep 17 00:00:00 2001 +From: Rich Felker <dalias@aerifal.cx> +Date: Sat, 24 Oct 2015 22:42:10 -0400 +Subject: fix single-byte overflow of malloc'd buffer in getdelim + +the buffer enlargement logic here accounted for the terminating null +byte, but not for the possibility of hitting the delimiter in the +buffer-refill code path that uses getc_unlocked, in which case two +additional bytes (the delimiter and the null termination) are written +without another chance to enlarge the buffer. + +this patch and the corresponding bug report are by Felix Janda. +--- + src/stdio/getdelim.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c +index a88c393..3077490 100644 +--- a/src/stdio/getdelim.c ++++ b/src/stdio/getdelim.c +@@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric + for (;;) { + z = memchr(f->rpos, delim, f->rend - f->rpos); + k = z ? z - f->rpos + 1 : f->rend - f->rpos; +- if (i+k >= *n) { ++ if (i+k+1 >= *n) { + if (k >= SIZE_MAX/2-i) goto oom; + *n = i+k+2; + if (*n < SIZE_MAX/4) *n *= 2; +-- +cgit v0.11.2 + |