Project

General

Profile

Actions

Bug #1837

closed

overflow in buffer.c function

Added by ycheng almost 13 years ago. Updated over 12 years ago.

Status:
Fixed
Priority:
Urgent
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

// lighttpd-1.4.19 buffer.c
int buffer_append_string_rfill(buffer *b, const char *s, size_t maxlen);

It use buffer_prepare_append(b, maxlen + 1) to enlarge the b's size.
But if (maxlen+1) < strlen(s), the following memcpy() will cause overflow.

Actions #1

Updated by icy almost 13 years ago

  • Category set to core
  • Assignee set to jan
  • Target version set to 1.4.21

Nice find. A good thing: the function isn't used anywhere in the source. :)

Actions #2

Updated by stbuehler over 12 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2380.

Actions

Also available in: Atom