CEGUI::String.erase() can perform buffer overrun

Create issue
Issue #376 resolved
Former user created an issue

Automatic migration. Original reporter: "gring"

if idx is equal to d_cplength then the memmove below will become -len which is a size_t value and becomes a potential huge memmove.

change condition to:

if (d_cplength <= idx) throw....

String& erase(size_type idx, size_type len = npos) { if (d_cplength < idx) throw std::out_of_range("Index is out of range foe Cube::String");

if (len == npos) len = d_cplength - idx;

size_type newsz = d_cplength - len;

memmove(&ptr()[idx], &ptr()[idx + len], (d_cplength - idx - len) * sizeof(utf32)); setlen(newsz); return *this; }

Reproducibility: always

Comments (1)

  1. Log in to comment