• Hanno Böck's avatar
    Fix heap buffer overflow in fgetwln() · c8f0723d
    Hanno Böck authored
    In the function fgetwln() there's a 4 byte heap overflow.
    
    There is a while loop that has this check to see whether there's still
    enough space in the buffer:
    
    		if (!fb->len || wused > fb->len) {
    
    If this is true more memory gets allocated. However this test won't be
    true if wused == fb->len, but at that point wused already points out
    of the buffer. Some lines later there's a write to the buffer:
    
    		fb->wbuf[wused++] = wc;
    
    This bug was found with the help of address sanitizer.
    
    Warned-by: ASAN
    Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881Signed-off-by: Guillem Jover's avatarGuillem Jover <guillem@hadrons.org>
    c8f0723d
fgetwln.c 2.52 KB