Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 20 Jan 2016 19:56:43 +0000 (UTC)
From:      Brooks Davis <brooks@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org
Subject:   svn commit: r294457 - stable/9/lib/libc/string
Message-ID:  <201601201956.u0KJuht6095604@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: brooks
Date: Wed Jan 20 19:56:43 2016
New Revision: 294457
URL: https://svnweb.freebsd.org/changeset/base/294457

Log:
  MFC r293856:
  
  Avoid reading pass the end of the source buffer when it is not NUL
  terminated.
  
  If this buffer is adjacent to an unmapped page or a version of C with
  bounds checked is used this may result in a crash.
  
  PR:		206178
  Submitted by:	Alexander Cherepanov <cherepan@mccme.ru>

Modified:
  stable/9/lib/libc/string/wcslcat.c
Directory Properties:
  stable/9/lib/libc/   (props changed)

Modified: stable/9/lib/libc/string/wcslcat.c
==============================================================================
--- stable/9/lib/libc/string/wcslcat.c	Wed Jan 20 19:52:01 2016	(r294456)
+++ stable/9/lib/libc/string/wcslcat.c	Wed Jan 20 19:56:43 2016	(r294457)
@@ -54,7 +54,7 @@ wcslcat(wchar_t *dst, const wchar_t *src
 	size_t dlen;
 
 	/* Find the end of dst and adjust bytes left but don't go past end */
-	while (*d != '\0' && n-- != 0)
+	while (n-- != 0 && *d != '\0')
 		d++;
 	dlen = d - dst;
 	n = siz - dlen;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201601201956.u0KJuht6095604>