Insufficient buffer length in getStringIndexList() in smidiff.c
In smidiff.c, in the function getStringIndexList(), the realloc() call for strIdxList adds 4, which matches the number of literal characters in the format string in the subsequent sprintf() call, but it doesn't account for the terminating null byte. It should be "+ 5".
I suspect that most runs of smidiff don't get memory corruption from the buffer overrun because realloc() usually happens to allocate a memory block larger than requested (e.g., the next larger power of 2).
-- Nathan
On Fri, Dec 21, 2018 at 10:31:42AM -0800, Nathan Kitchen via Libsmi wrote:
In smidiff.c, in the function getStringIndexList(), the realloc() call for strIdxList adds 4, which matches the number of literal characters in the format string in the subsequent sprintf() call, but it doesn't account for the terminating null byte. It should be "+ 5".
I suspect that most runs of smidiff don't get memory corruption from the buffer overrun because realloc() usually happens to allocate a memory block larger than requested (e.g., the next larger power of 2).
Thanks for reporting this. I have committed a fix to the svn repository.
/js
participants (2)
-
Juergen Schoenwaelder -
Nathan Kitchen