Updated fix for ezxml_set_attr() memory corruption
Status: Beta
Brought to you by:
voisine
Menu
▾
▴
#5 Updated fix for ezxml_set_attr() memory corruption
The patch for the ezxml_set_attr() memory corruption (patch 1654319 for bug 1653391) is not quite right and I have uploaded a new patch that replaces it to fix that. I hit the same bug and came up with basically the same fix, but with one small variation. After the added "c -= 2", the memmove that follows it correctly uses the decremented value of c to index the from/to addresses, but needs to use the original value of c in the length to move, not the decremented value as it was in the original patch.
For example, if there is just one attribute and that is being deleted, then l == 0, c == 2, and the memory to be moved holds 2 bytes, the 2nd being the null terminator. After the "c -= 2" we have l and c both == 0, so the memmove length "(c / 2) - (l / 2)" would equal zero and nothing would get moved. With this new patch the memmove length is "((c + 2) / 2) - (l / 2)" which in this example would equal one to move down just the null terminator byte.
Patch to fix ezxml_set_attr() memory corruption - bug 1653391