Heinz Graalfs wrote:
> On Tue, 2012-06-12 at 13:52 +0200, Alexander Graf wrote:
>
>> On 06/06/2012 02:05 PM, Jens Freimann wrote:
>>
>>> From: Heinz Graalfs<[email protected]>
>>>
>>>
[...]
>>> +static void chr_read_vt220(void *opaque, const uint8_t *buf, int size)
>>> +{
>>> + char *offset;
>>> +
>>> + if (!sclp_console_data_vt220) {
>>> + size_buffer = 2 * size;
>>>
>> Why 2*?
>>
>>
>
> OK, will change to exact size plus 1 for trailing 0
>
This happens in more than one place btw :).
>
>
>>> + free(sclp_console_data_vt220);
>>> + size_buffer = 2 * size;
>>> + sclp_console_data_vt220 = malloc(size_buffer);
>>> + }
>>> + offset = sclp_console_data_vt220;
>>> + if (offset) {
>>> + memcpy(offset, buf, size);
>>> + offset += size;
>>> + *offset = '\0';
>>>
>> How do you know you're not out of bounds?
>>
>>
> OK, size + 1
>
I was more thinking of the memcpy(some_variable, ..., n) where you never
check if available_space(some_variable) > n, no?
Alex
