Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 May 2011 21:51:37 -0400
From: Rich Felker <dalias@...ifal.cx>
To: musl@...ts.openwall.com
Subject: Re: wcsncpy bug

On Mon, May 23, 2011 at 03:25:47AM +0200, Szabolcs Nagy wrote:
> wcsncpy(d,s,n) did not decrease n while copying the '\0'
> so when s[0]=0 and n=1 it wrote 2 zeros to d

> diff --git a/src/string/wcsncpy.c b/src/string/wcsncpy.c
> index 0164208..fbd0631 100644
> --- a/src/string/wcsncpy.c
> +++ b/src/string/wcsncpy.c
> @@ -3,7 +3,7 @@
>  wchar_t *wcsncpy(wchar_t *d, const wchar_t *s, size_t n)
>  {
>  	wchar_t *a = d;
> -	while (n && (*d++ = *s++)) n--;
> +	while (n-- && (*d++ = *s++));
>  	wmemset(d, 0, n);

Yes it was broken but this patch is too. It will now clobber all
memory if the source string does not contain a null terminator, since
the final value of n after the while loop will be (size_t)-1.

Thanks for catching this bug tho. I'll fix it.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.