Date: Wed, 2 Sep 2020 20:04:26 +0000 (UTC) From: John Baldwin <jhb@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r365276 - head/lib/libc/stdlib Message-ID: <202009022004.082K4Q2r074059@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: jhb Date: Wed Sep 2 20:04:26 2020 New Revision: 365276 URL: https://svnweb.freebsd.org/changeset/base/365276 Log: Compute the correct size of the string to move forward. Previously this was counting the amount of spare room at the start of the buffer that the string needed to move forward and passing that as the number of bytes to copy to memmove rather than the length of the string to be copied. In the strfmon test in the test suite this caused the memmove to overflow the allocated buffer by one byte which CHERI caught. Reported by: CHERI Reviewed by: kevans Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D26280 Modified: head/lib/libc/stdlib/strfmon.c Modified: head/lib/libc/stdlib/strfmon.c ============================================================================== --- head/lib/libc/stdlib/strfmon.c Wed Sep 2 19:59:25 2020 (r365275) +++ head/lib/libc/stdlib/strfmon.c Wed Sep 2 20:04:26 2020 (r365276) @@ -645,7 +645,7 @@ __format_grouped_double(double value, int *flags, memset(bufend, pad_char, padded); } - bufsize = bufsize - (bufend - rslt) + 1; + bufsize = rslt + bufsize - bufend; memmove(rslt, bufend, bufsize); free(avalue); return (rslt);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009022004.082K4Q2r074059>