Hmmm. Actually, this could improve its efficiency by only allocating
len+1 bytes if len < n. Should we do that?
Cheers,
Ben.
[EMAIL PROTECTED] wrote:
>
> ben 01/02/11 08:25:08
>
> Modified: strings apr_strings.c
> Log:
> ap_pstrndup could have caused out-of-bounds memory accesses (this is a
> theoretical problem that I happened to notice). Only lightly tested.
>
> Revision Changes Path
> 1.9 +7 -2 apr/strings/apr_strings.c
>
> Index: apr_strings.c
> ===================================================================
> RCS file: /home/cvs/apr/strings/apr_strings.c,v
> retrieving revision 1.8
> retrieving revision 1.9
> diff -u -r1.8 -r1.9
> --- apr_strings.c 2001/02/11 16:18:09 1.8
> +++ apr_strings.c 2001/02/11 16:25:07 1.9
> @@ -83,13 +83,18 @@
> APR_DECLARE(char *) apr_pstrndup(apr_pool_t *a, const char *s, apr_size_t
> n)
> {
> char *res;
> + size_t len;
>
> if (s == NULL) {
> return NULL;
> }
> res = apr_palloc(a, n + 1);
> - memcpy(res, s, n);
> - res[n] = '\0';
> + len = strlen(s);
> + if(len > n) {
> + memcpy(res, s, n);
> + res[n] = '\0';
> + } else
> + memcpy(res, s, len+1);
> return res;
> }
>
>
>
>
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
