Date: Fri, 22 Jan 2016 00:13:18 +0000 (UTC) From: Brooks Davis <brooks@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org Subject: svn commit: r294538 - stable/8/lib/libc/string Message-ID: <201601220013.u0M0DIZJ040061@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: brooks Date: Fri Jan 22 00:13:18 2016 New Revision: 294538 URL: https://svnweb.freebsd.org/changeset/base/294538 Log: MFC r293856: Avoid reading pass the end of the source buffer when it is not NUL terminated. If this buffer is adjacent to an unmapped page or a version of C with bounds checked is used this may result in a crash. PR: 206178 Submitted by: Alexander Cherepanov <cherepan@mccme.ru> Requested by: danfe Modified: stable/8/lib/libc/string/wcslcat.c Directory Properties: stable/8/lib/libc/ (props changed) Modified: stable/8/lib/libc/string/wcslcat.c ============================================================================== --- stable/8/lib/libc/string/wcslcat.c Fri Jan 22 00:08:16 2016 (r294537) +++ stable/8/lib/libc/string/wcslcat.c Fri Jan 22 00:13:18 2016 (r294538) @@ -54,7 +54,7 @@ wcslcat(wchar_t *dst, const wchar_t *src size_t dlen; /* Find the end of dst and adjust bytes left but don't go past end */ - while (*d != '\0' && n-- != 0) + while (n-- != 0 && *d != '\0') d++; dlen = d - dst; n = siz - dlen;
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601220013.u0M0DIZJ040061>