diff options
| author | Kurt Schwehr <schwehr@gmail.com> | 2018-05-31 02:07:30 -0700 |
|---|---|---|
| committer | Kristian Evers <kristianevers@gmail.com> | 2018-05-31 11:07:30 +0200 |
| commit | bbb13e808b89bfaf544441b0e7f9b3bae48993bd (patch) | |
| tree | 4037395a68573edba4ced59d907b2dfbb8eb5a3e | |
| parent | 1b3c79bad58d0b85980d428b1d75f9651392a4d3 (diff) | |
| download | PROJ-bbb13e808b89bfaf544441b0e7f9b3bae48993bd.tar.gz PROJ-bbb13e808b89bfaf544441b0e7f9b3bae48993bd.zip | |
Fix buffer overflow in gie.c:append_args() (#1023)
Observed a buffer overflow in append_args with autofuzz with the strcpy in append_args.
I think the +2 is required to account for both a nul char and the space.
| -rw-r--r-- | src/gie.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -1422,7 +1422,8 @@ static int append_args (ffio *G) { if (tag) skip_chars = strlen (tag); - if (G->args_size < args_len + next_len - skip_chars + 1) { + /* +2: 1 for the space separator and 1 for the NUL termination. */ + if (G->args_size < args_len + next_len - skip_chars + 2) { void *p = realloc (G->args, 2 * G->args_size); if (0==p) return 0; |