Date: Fri, 27 Sep 2013 11:28:49 -0400 From: Rich Felker <dalias@...ifal.cx> To: musl@...ts.openwall.com Subject: Re: [PATCH] mbsrtowcs: Fix bug when wn is a multiple of 4 On Fri, Sep 27, 2013 at 01:54:42AM -0700, Michael Forney wrote: > If wn becomes 0 after processing a chunk of 4, mbsrtowcs currently > continues on, wrapping wn around to -1, causing the rest of the string > to be processed. > > This resulted in buffer overruns if there was only space in ws for wn > wide characters. > --- > Hi, > > I found this bug while tracking down a SIGSEGV in bash when globbing a large > pattern. Thanks! That's a nice find. > src/multibyte/mbsrtowcs.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/src/multibyte/mbsrtowcs.c b/src/multibyte/mbsrtowcs.c > index b9bbc33..c5a30de 100644 > --- a/src/multibyte/mbsrtowcs.c > +++ b/src/multibyte/mbsrtowcs.c > @@ -66,6 +66,7 @@ resume0: > *ws++ = *s++; > wn -= 4; > } > + if (!wn) continue; Rather than adding an extra branch here, why not just either change the >=4 condition to >=5 or unconditionally continue here? Any thoughts on what would be better? Rich
Powered by blists - more mailing lists
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.