Bug #1837

overflow in buffer.c function

Added by ycheng over 5 years ago. Updated about 5 years ago.

Status:FixedStart date:2008-12-05
Priority:UrgentDue date:
Assignee:jan% Done:

100%

Category:core
Target version:1.4.21
Missing in 1.5.x:

Description

// lighttpd-1.4.19 buffer.c
int buffer_append_string_rfill(buffer *b, const char *s, size_t maxlen);

It use buffer_prepare_append(b, maxlen + 1) to enlarge the b's size.
But if (maxlen+1) < strlen(s), the following memcpy() will cause overflow.

Associated revisions

Revision 2380
Added by stbuehler about 5 years ago

Some small buffer.c fixes (closes #1837)

Revision 2451
Added by stbuehler about 5 years ago

merge: Some small buffer.c fixes (#1837)

History

#1 Updated by icy over 5 years ago

  • Category set to core
  • Assignee set to jan
  • Target version set to 1.4.21

Nice find. A good thing: the function isn't used anywhere in the source. :)

#2 Updated by stbuehler about 5 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2380.

Also available in: Atom