On 2015-04-09 14:10:43, Celelibi wrote: > 2015-04-09 11:05 UTC+02:00, Sebastian Ramacher <[email protected]>: > > xmalloc calls memset(..., 0, ...) on the the allocated memory block. I've > > removed the explicit assignment. > > I've seen this, but didn't know if that was just a fool-proof > protection or actually part of the specification of the xmalloc > function.
The xmalloc in yafc does. > >> + if (maxlen - start_len - 3 > 0) > >> + copy_from = strchr(path + len - (maxlen - start_len - 3), '/'); > > > > This causes invalid reads if 0 <= maxlen - start_len < 3. Changing the > > condition > > to maxlen - start_len > 3 fixes that. > > My math failed me. :) > You're right, this is an unsigned expression. > > Although I agree with the mistake, I'd suggest writing the condition > maxlen > start_len + 3 to handle the following case: > > maxlen = 7, start_len = 8. > maxlen - start_len > 3 is true. > maxlen - start_len - 3 == (unsigned)-4 thus making the memory access invalid. Thanks, fixed. Cheers -- Sebastian Ramacher
signature.asc
Description: Digital signature
