[darcs-devel] darcs patch: Fix off-by-one error

Jan-Benedict Glaw jbglaw at lug-owl.de
Tue Jan 25 07:49:38 PST 2005


On Tue, 2005-01-25 10:29:27 -0500, Jan-Benedict Glaw <jbglaw at lug-owl.de>
wrote in message <E1CtSdD-0007LK-Ff at abridgegame.org>:
> 
> New patches:
> 
> [Fix off-by-one error
> Jan-Benedict Glaw <jbglaw at lug-owl.de>**20050125151229] {
> hunk ./compat.c 383
> -    tempname = malloc(rc + 1);
> +    tempname = malloc(rc);
> hunk ./compat.c 387
> -    if(len < 0 || len > rc) {
> +    if(len < 0 || len >= rc) {
> }

Hmmm... The long description seems to have vanished.

The first change (allocate one byte less) isn't all that important, it
doesn't break anything. However, it was obviously intended to catch
overlong snprintfs by checking it's return value. Unfortunately, "rc" as
buffer length was supplied and then len is checked to be larger than rc.
That's however wrong: snprintf() counts the bytes it would have written,
excluding the final \0. This is why we've got to check like

	if (snprintf_len >= buffer_len)
		die ();

If the check (snprintf_len > buffer_len) fires, then you've already lost
the very last byte. This wouldn't break the whole function, because
the name is only used as a temporary, though...

MfG, JBG

-- 
Jan-Benedict Glaw       jbglaw at lug-owl.de    . +49-172-7608481             _ O _
"Eine Freie Meinung in  einem Freien Kopf    | Gegen Zensur | Gegen Krieg  _ _ O
 fuer einen Freien Staat voll Freier Bürger" | im Internet! |   im Irak!   O O O
ret = do_actions((curr | FREE_SPEECH) & ~(NEW_COPYRIGHT_LAW | DRM | TCPA));
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.osuosl.org/pipermail/darcs-devel/attachments/20050125/ce965ea2/attachment.pgp


More information about the darcs-devel mailing list