From: Ben Pfaff <blp@cs.stanford.edu>
Date: Fri, 22 Feb 2019 17:16:40 -0800
Subject: [PATCH] pspp-dump-sav; Fix write past end of buffer in corner case.
If count == 0 and size > 0, then n_bytes is 0, buffer is a 1-byte
allocation, and the assignment to buffer[size] would write to buffer[1]
(or past it), which is past the end of the allocation.
Found by Address Sanitizer.
diff --git a/utilities/pspp-dump-sav.c b/utilities/pspp-dump-sav.c
index b0001ac6..027b6580 100644
--- a/utilities/pspp-dump-sav.c
+++ b/utilities/pspp-dump-sav.c
@@ -1403,7 +1403,7 @@ open_text_record (struct sfm_reader *r, size_t size, size_t count)
size_t n_bytes = size * count;
char *buffer = xmalloc (n_bytes + 1);
read_bytes (r, buffer, n_bytes);
- buffer[size] = '\0';
+ buffer[n_bytes] = '\0';
text->reader = r;
text->buffer = buffer;
text->size = n_bytes;