mdocml: manpath.c off-by-one by making wrong usage of fgetln(3)
Issue #98
resolved
see following code:
while (NULL != (p = fgetln(stream, &len))) {
if (0 == len || '\n' != p[--len])
break;
p[len] = '\0';
if p[len - 1] is not '\n', p[len] = '\0' causes off-by-one buffer overrun, read carefully fgetln(3) manual's CAVEANTS section.
Comments (4)
-
reporter -
reporter - changed status to resolved
BUGFIX: Issue
#98- mdocml: manpath.c off-by-one by making wrong usage of fgetln(3).→ <<cset d4e3729640f6>>
-
reporter oops,
if p's length(=len) is short than keysz, this compare make overrun too.
is not correct, strncmp(3) stop with '\0' unlike memcmp(3). so never overrun ;)
-
reporter - changed status to resolved
- Log in to comment
and more:
if p's length(=len) is short than keysz, this compare make overrun too.