| commit | c80541d020cb9213ae32aa93fcf4f8184bdd74fb | |
| author | Michael Kruse <isl@meinersbur.de> | |
| Wed, 11 Mar 2015 12:55:33 +0000 (11 13:55 +0100) | ||
| committer | Sven Verdoolaege <skimo@kotnet.org> | |
| Wed, 11 Mar 2015 15:30:49 +0000 (11 16:30 +0100) | ||
| tree | 0b7c3a222af6311282e86a3049895e65a5d842a1 | treesnapshot (tar.gz zip) |
| parent | bb4d183e345c3c688defbc9bc6a5bf5cf43a88f2 | commitdiff |
isl_tab_extend_vars: fix buffer overflow
max_var is the capacity of the buffer, but was not set to the real size of
the buffer after realloc.
If max_var > n_var during a call of isl_tab_extend_vars, max_var would
be set to max_var+n_new, although only n_var+n_new has been allocated.
Other code (notably add_sub_vars) assumes that it can write up to
max_var elements, but writes beyond the allocated buffer when accessing
the last elements.
Signed-off-by: Michael Kruse <isl@meinersbur.de>
Signed-off-by: Sven Verdoolaege <skimo@kotnet.org>
max_var is the capacity of the buffer, but was not set to the real size of
the buffer after realloc.
If max_var > n_var during a call of isl_tab_extend_vars, max_var would
be set to max_var+n_new, although only n_var+n_new has been allocated.
Other code (notably add_sub_vars) assumes that it can write up to
max_var elements, but writes beyond the allocated buffer when accessing
the last elements.
Signed-off-by: Michael Kruse <isl@meinersbur.de>
Signed-off-by: Sven Verdoolaege <skimo@kotnet.org>
| isl_tab.c | diffblobblamehistory |