Skip to content

Commit

Permalink
fix crash - buffer overflow by one in fexpand
Browse files Browse the repository at this point in the history 
The symptom, on Windows, using LESSOPEN, was that "less" would
sometimes (up to 5-10%) crash with exit code 116.

gdb detected heap block overflow in free(filename) in lglob.

The overflow is because fexpand_copy(s, NULL) return value (and
allocated size) doesn't count the final \0, but fexpand_copy(s, x)
does write a final \0.

This appears to be a regression of commit 1626d06, where fexpand_copy
returned the strlen of the result, and fexpand allocated n+1, but
commit 1626d06 changed the allocation to n.

Fix it by always counting the \0 - which appears to fix the crash.

fexpand_copy is only used from fexpand (once to count, and once for
the actual copy), so there's no risk elsewhere from this change.
  • Loading branch information
@avih @gwsw
avih authored and gwsw committed May 29, 2024
1 parent 0faa223 commit f752294
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion filename.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -368,7 +368,7 @@ static size_t fexpand_copy(constant char *fr, char *to)
xcpy_char(&xp, *fr);
}
}
if (xp.dest != NULL) xcpy_char(&xp, '\0');
xcpy_char(&xp, '\0');
return xp.copied;
}

Expand Down

0 comments on commit f752294

Please sign in to comment.