2015-04-09 11:05 UTC+02:00, Sebastian Ramacher <[email protected]>: > xmalloc calls memset(..., 0, ...) on the the allocated memory block. I've > removed the explicit assignment.
I've seen this, but didn't know if that was just a fool-proof protection or actually part of the specification of the xmalloc function. >> + if (maxlen - start_len - 3 > 0) >> + copy_from = strchr(path + len - (maxlen - start_len - 3), '/'); > > This causes invalid reads if 0 <= maxlen - start_len < 3. Changing the > condition > to maxlen - start_len > 3 fixes that. My math failed me. :) You're right, this is an unsigned expression. Although I agree with the mistake, I'd suggest writing the condition maxlen > start_len + 3 to handle the following case: maxlen = 7, start_len = 8. maxlen - start_len > 3 is true. maxlen - start_len - 3 == (unsigned)-4 thus making the memory access invalid. Celelibi -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
