mifr/subsurface
1
0
Fork 0
mirror of https://github.com/subsurface/subsurface.git synced 2024-11-30 22:20:21 +00:00
Code Issues Projects Releases Packages Wiki Activity

Fix another off by one error in Uemis native downloader

Browse source 
And again buffer_insert contained the blatant bug.

The code wasn't copying the trailing '\0' when extending the string, which
usually didn't end up blowing up the code (and therefore kept the bug
hidden until now) because of the way realloc reused memory - we just had
trailing garbage strings. But sometimes we weren't so lucky and the strlen
in a subsequent call of buffer_insert would run past the end of the
allocated buffer.

Oops.

Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
This commit is contained in:
Dirk Hohndel 2012-11-19 20:43:49 -08:00
parent f3d87a2b16
commit 8e4d4970ec
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
uemis-downloader.c
View file

@ -413,7 +413,7 @@ static void buffer_insert(char **buffer, int *buffer_size, char *buf)
*buffer_size += len;
*buffer = realloc(*buffer, *buffer_size);
ptr = *buffer + offset;
memmove(ptr + len, ptr, strlen(*buffer) - offset);
memmove(ptr + len, ptr, strlen(*buffer) - offset + 1);
memmove(ptr, cbuf, len);
}