7 Jan
2019
7 Jan
'19
9:19 a.m.
On Fri, Dec 21, 2018 at 10:31:42AM -0800, Nathan Kitchen via Libsmi wrote:
In smidiff.c, in the function getStringIndexList(), the realloc() call for strIdxList adds 4, which matches the number of literal characters in the format string in the subsequent sprintf() call, but it doesn't account for the terminating null byte. It should be "+ 5".
I suspect that most runs of smidiff don't get memory corruption from the buffer overrun because realloc() usually happens to allocate a memory block larger than requested (e.g., the next larger power of 2).
Thanks for reporting this. I have committed a fix to the svn repository.
/js
--
Juergen Schoenwaelder Jacobs University Bremen gGmbH
Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany
Fax: +49 421 200 3103 https://www.jacobs-university.de/