Project

General

Profile

Bug #1837

overflow in buffer.c function

Added by ycheng over 7 years ago. Updated over 7 years ago.

Status:
Fixed
Priority:
Urgent
Assignee:
Category:
core
Target version:
Start date:
2008-12-05
Due date:
% Done:

100%

Missing in 1.5.x:

Description

// lighttpd-1.4.19 buffer.c
int buffer_append_string_rfill(buffer *b, const char *s, size_t maxlen);

It use buffer_prepare_append(b, maxlen + 1) to enlarge the b's size.
But if (maxlen+1) < strlen(s), the following memcpy() will cause overflow.

Associated revisions

Revision 2380 (diff)
Added by stbuehler over 7 years ago

Some small buffer.c fixes (closes #1837)

Revision 4642508d (diff)
Added by stbuehler over 7 years ago

Some small buffer.c fixes (closes #1837)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-1.4.x@2380 152afb58-edef-0310-8abb-c4023f1b3aa9

Revision 2451 (diff)
Added by stbuehler over 7 years ago

merge: Some small buffer.c fixes (#1837)

History

#1 Updated by icy over 7 years ago

  • Category set to core
  • Assignee set to jan
  • Target version set to 1.4.21

Nice find. A good thing: the function isn't used anywhere in the source. :)

#2 Updated by stbuehler over 7 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2380.

Also available in: Atom