|
c8f0723d
|
2016-01-27T15:10:11
|
|
Fix heap buffer overflow in fgetwln()
In the function fgetwln() there's a 4 byte heap overflow.
There is a while loop that has this check to see whether there's still
enough space in the buffer:
if (!fb->len || wused > fb->len) {
If this is true more memory gets allocated. However this test won't be
true if wused == fb->len, but at that point wused already points out
of the buffer. Some lines later there's a write to the buffer:
fb->wbuf[wused++] = wc;
This bug was found with the help of address sanitizer.
Warned-by: ASAN
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881
Signed-off-by: Guillem Jover <guillem@hadrons.org>
|