Bug #1837

overflow in buffer.c function

Added by ycheng almost 7 years ago. Updated almost 7 years ago.

Status:FixedStart date:2008-12-05
Priority:UrgentDue date:
Assignee:jan% Done:


Target version:1.4.21
Missing in 1.5.x:


// lighttpd-1.4.19 buffer.c
int buffer_append_string_rfill(buffer *b, const char *s, size_t maxlen);

It use buffer_prepare_append(b, maxlen + 1) to enlarge the b's size.
But if (maxlen+1) < strlen(s), the following memcpy() will cause overflow.

Associated revisions

Revision 2380
Added by stbuehler almost 7 years ago

Some small buffer.c fixes (closes #1837)

Revision 2451
Added by stbuehler over 6 years ago

merge: Some small buffer.c fixes (#1837)


#1 Updated by icy almost 7 years ago

  • Category set to core
  • Assignee set to jan
  • Target version set to 1.4.21

Nice find. A good thing: the function isn't used anywhere in the source. :)

#2 Updated by stbuehler almost 7 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2380.

Also available in: Atom