summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2015-10-24 22:42:10 -0400
committerRich Felker <dalias@aerifal.cx>2015-10-24 22:42:10 -0400
commitb114190b29417fff6f701eea3a3b3b6030338280 (patch)
tree4002d6485371fe07fd26952d638cc0b938d34641
parentbc0c48414eaba9e974e54aa8ef611b78037fd387 (diff)
downloadmusl-b114190b29417fff6f701eea3a3b3b6030338280.tar.gz
fix single-byte overflow of malloc'd buffer in getdelim
the buffer enlargement logic here accounted for the terminating null byte, but not for the possibility of hitting the delimiter in the buffer-refill code path that uses getc_unlocked, in which case two additional bytes (the delimiter and the null termination) are written without another chance to enlarge the buffer. this patch and the corresponding bug report are by Felix Janda.
-rw-r--r--src/stdio/getdelim.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c
index a88c3933..30774908 100644
--- a/src/stdio/getdelim.c
+++ b/src/stdio/getdelim.c
@@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
for (;;) {
z = memchr(f->rpos, delim, f->rend - f->rpos);
k = z ? z - f->rpos + 1 : f->rend - f->rpos;
- if (i+k >= *n) {
+ if (i+k+1 >= *n) {
if (k >= SIZE_MAX/2-i) goto oom;
*n = i+k+2;
if (*n < SIZE_MAX/4) *n *= 2;