Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Sep 2020 20:04:26 +0000 (UTC)
From:      John Baldwin <jhb@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r365276 - head/lib/libc/stdlib
Message-ID:  <202009022004.082K4Q2r074059@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: jhb
Date: Wed Sep  2 20:04:26 2020
New Revision: 365276
URL: https://svnweb.freebsd.org/changeset/base/365276

Log:
  Compute the correct size of the string to move forward.
  
  Previously this was counting the amount of spare room at the start of
  the buffer that the string needed to move forward and passing that as
  the number of bytes to copy to memmove rather than the length of the
  string to be copied.
  
  In the strfmon test in the test suite this caused the memmove to
  overflow the allocated buffer by one byte which CHERI caught.
  
  Reported by:	CHERI
  Reviewed by:	kevans
  Obtained from:	CheriBSD
  MFC after:	1 week
  Sponsored by:	DARPA
  Differential Revision:	https://reviews.freebsd.org/D26280

Modified:
  head/lib/libc/stdlib/strfmon.c

Modified: head/lib/libc/stdlib/strfmon.c
==============================================================================
--- head/lib/libc/stdlib/strfmon.c	Wed Sep  2 19:59:25 2020	(r365275)
+++ head/lib/libc/stdlib/strfmon.c	Wed Sep  2 20:04:26 2020	(r365276)
@@ -645,7 +645,7 @@ __format_grouped_double(double value, int *flags,
 		memset(bufend, pad_char, padded);
 	}
 
-	bufsize = bufsize - (bufend - rslt) + 1;
+	bufsize = rslt + bufsize - bufend;
 	memmove(rslt, bufend, bufsize);
 	free(avalue);
 	return (rslt);



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202009022004.082K4Q2r074059>