33 lines
1.2 KiB
Diff
33 lines
1.2 KiB
Diff
From 278b4175c9d7dd47c1a3071554aac02add3b3c35 Mon Sep 17 00:00:00 2001
|
|
From: Bruno Haible <bruno@clisp.org>
|
|
Date: Sun, 23 Sep 2018 14:13:52 +0200
|
|
Subject: vasnprintf: Fix heap memory overrun bug.
|
|
|
|
Reported by Ben Pfaff <blp@cs.stanford.edu> in
|
|
<https://lists.gnu.org/archive/html/bug-gnulib/2018-09/msg00107.html>.
|
|
|
|
* lib/vasnprintf.c (convert_to_decimal): Allocate one more byte of
|
|
memory.
|
|
---
|
|
lib/vasnprintf.c | 4 +++-
|
|
1 files changed, 3 insertions(+), 1 deletions(-)
|
|
|
|
diff --git a/lib/vasnprintf.c b/lib/vasnprintf.c
|
|
index 56ffbe3..30d021b 100644
|
|
--- a/lib/vasnprintf.c
|
|
+++ b/lib/vasnprintf.c
|
|
@@ -860,7 +860,9 @@ convert_to_decimal (mpn_t a, size_t extra_zeroes)
|
|
size_t a_len = a.nlimbs;
|
|
/* 0.03345 is slightly larger than log(2)/(9*log(10)). */
|
|
size_t c_len = 9 * ((size_t)(a_len * (GMP_LIMB_BITS * 0.03345f)) + 1);
|
|
- char *c_ptr = (char *) malloc (xsum (c_len, extra_zeroes));
|
|
+ /* We need extra_zeroes bytes for zeroes, followed by c_len bytes for the
|
|
+ digits of a, followed by 1 byte for the terminating NUL. */
|
|
+ char *c_ptr = (char *) malloc (xsum (xsum (extra_zeroes, c_len), 1));
|
|
if (c_ptr != NULL)
|
|
{
|
|
char *d_ptr = c_ptr;
|
|
--
|
|
cgit v1.1
|
|
|