#7 Fix possible strchr overrun in fake readline

open
nobody
None
5
2011-03-30
2011-03-30
Christopher Head
No

In the fake readline(), when the function runs out of buffer space, it malloc()s a new buffer and copies the data into it. It copies exactly "bufpos" bytes, which is exactly the number of valid bytes it has read from input. It does not NUL-terminate the new buffer, and then it goes to the top of the while loop where it calls strchr() on the buffer. If no '\n' exists, strchr() may run off the end of the new buffer looking for a NUL. The attached patch copies bufpos+1 bytes instead, thus including the NUL-terminator that was already present at the end of the old buffer.

Discussion

  • The patch

     
    Attachments