rpms / pspp

Clone
Source Code
GIT

Files

f10 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 f8 f9 main rawhide
  1.   f29
  2.   pspp-0005-pspp-dump-sav-Fix-write-past-end-of-buffer-in-corner.patch
Blob Blame History Raw 
From: Ben Pfaff <blp@cs.stanford.edu>
Date: Fri, 22 Feb 2019 17:16:40 -0800
Subject: [PATCH] pspp-dump-sav; Fix write past end of buffer in corner case.

If count == 0 and size > 0, then n_bytes is 0, buffer is a 1-byte
allocation, and the assignment to buffer[size] would write to buffer[1]
(or past it), which is past the end of the allocation.

Found by Address Sanitizer.

diff --git a/utilities/pspp-dump-sav.c b/utilities/pspp-dump-sav.c
index b0001ac6..027b6580 100644
--- a/utilities/pspp-dump-sav.c
+++ b/utilities/pspp-dump-sav.c
@@ -1403,7 +1403,7 @@ open_text_record (struct sfm_reader *r, size_t size, size_t count)
   size_t n_bytes = size * count;
   char *buffer = xmalloc (n_bytes + 1);
   read_bytes (r, buffer, n_bytes);
-  buffer[size] = '\0';
+  buffer[n_bytes] = '\0';
   text->reader = r;
   text->buffer = buffer;
   text->size = n_bytes;
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.