Project

General

Profile

Bug #1837

overflow in buffer.c function

Added by ycheng almost 11 years ago. Updated almost 11 years ago.

Status:
Fixed
Priority:
Urgent
Assignee:
Category:
core
Target version:
Start date:
2008-12-05
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

// lighttpd-1.4.19 buffer.c
int buffer_append_string_rfill(buffer *b, const char *s, size_t maxlen);

It use buffer_prepare_append(b, maxlen + 1) to enlarge the b's size.
But if (maxlen+1) < strlen(s), the following memcpy() will cause overflow.

#1

Updated by icy almost 11 years ago

  • Category set to core
  • Assignee set to jan
  • Target version set to 1.4.21

Nice find. A good thing: the function isn't used anywhere in the source. :)

#2

Updated by stbuehler almost 11 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2380.

Also available in: Atom