|
From: Tom H. <tom...@so...> - 2017-11-14 09:19:03
|
https://sourceware.org/git/gitweb.cgi?p=valgrind.git;h=a5af4146e383dd442130905901b046e2cb4b0ed4 commit a5af4146e383dd442130905901b046e2cb4b0ed4 Author: Tom Hughes <to...@co...> Date: Tue Nov 14 09:16:26 2017 +0000 Avoid underflow in strlcpy and strlcat wrappers when count is zero We can't decrement n because it's unsigned and might be zero which means it would wrap and we'd wind up reading far too much. Fixes BZ#208052 Diff: --- shared/vg_replace_strmem.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/shared/vg_replace_strmem.c b/shared/vg_replace_strmem.c index 71c7e56..6c946ce 100644 --- a/shared/vg_replace_strmem.c +++ b/shared/vg_replace_strmem.c @@ -377,7 +377,7 @@ static inline void my_exit ( int x ) while (m < n && *dst) { m++; dst++; } \ if (m < n) { \ /* Fill as far as dst_orig[n-2], then nul-terminate. */ \ - while (m < n-1 && *src) { m++; *dst++ = *src++; } \ + while (m+1 < n && *src) { m++; *dst++ = *src++; } \ *dst = 0; \ } else { \ /* No space to copy anything to dst. m == n */ \ @@ -580,7 +580,7 @@ static inline void my_exit ( int x ) \ STRLCPY_CHECK_FOR_DSTSIZE_ZERO \ \ - while (m < n-1 && *src) { m++; *dst++ = *src++; } \ + while (m+1 < n && *src) { m++; *dst++ = *src++; } \ /* m non-nul bytes have now been copied, and m <= n-1. */ \ /* Check for overlap after copying; all n bytes of dst are relevant, */ \ /* but only m+1 bytes of src if terminator was found */ \ |