Hi, Here are patches for fixing some Monkey string problems: [1/2] String: validate length of substring first to avoid extra memory allocation and release In the current source code, `mk_string_copy_substr` allocate a memory for substring and then it determine whether `pos_init` is larger than `pos_end`. If so, it release the previous allocated memory. This is unnecessary if we compare `pos_init` and `pos_end` first. What's more, the length of substring is given by `unsigned int size; size = (unsigned int) (pos_end - pos_init) + 1;`, `pos_init` and `pos_end` are both defined as `int`. Someone can take advantage of this by passing invalid argument on purpose, because converting a negative number to an unsigned one will result in a big number. Doing the compare first also solve this problem.
[2/2] Config: fix substring length for copy When copying the value substring from a configuration line, the end position should be `len - indent_len - i`, because we are counting from `buf + indent_len +i`. This may lead to a segment fault if `i` is large enough. Best Regards, swpd
0001-String-validate-length-of-substring-first-to-avoid-e.patch
Description: Binary data
0002-Config-Fix-substring-length-for-copy.patch
Description: Binary data
_______________________________________________ Monkey mailing list [email protected] http://lists.monkey-project.com/listinfo/monkey
