This is the mail archive of the libc-hacker@sources.redhat.com mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH] Off-by-one fix for dl-sysdep.c

From: Jakub Jelinek <jakub at redhat dot com>
To: Ulrich Drepper <drepper at redhat dot com>, Roland McGrath <roland at redhat dot com>
Cc: Glibc hackers <libc-hacker at sources dot redhat dot com>
Date: Tue, 11 Mar 2003 08:42:01 +0100
Subject: [PATCH] Off-by-one fix for dl-sysdep.c
Reply-to: Jakub Jelinek <jakub at redhat dot com>

Hi!

The code later does:
      cp = __mempcpy ((char *) (result + *sz), temp[0].str, temp[0].len);
      *cp = '/';
and so the final '/' is past the end of the malloced buffer.

2003-03-11  Jakub Jelinek  <jakub at redhat dot com>

	* sysdeps/generic/dl-sysdep.c (_dl_important_hwcaps): If cnt == 1,
	allocate space even for the trailing '/'.  Reported by
	John Reiser <jreiser at BitWagon dot com>.

--- libc/sysdeps/generic/dl-sysdep.c.jj	2003-03-06 12:26:22.000000000 -0500
+++ libc/sysdeps/generic/dl-sysdep.c	2003-03-11 02:34:48.000000000 -0500
@@ -338,7 +338,7 @@ _dl_important_hwcaps (const char *platfo
 
   /* Determine the total size of all strings together.  */
   if (cnt == 1)
-    total = temp[0].len;
+    total = temp[0].len + 1;
   else
     {
       total = (1UL << (cnt - 2)) * (temp[0].len + temp[cnt - 1].len + 2);

	Jakub

Follow-Ups:
- Re: [PATCH] Off-by-one fix for dl-sysdep.c
  - From: Roland McGrath

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]