The loop advances the pointer via start_address += len.
-- David Geier (ServiceNow On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:
On 10 Jun 2025, at 14:59, David Geier <[email protected]> wrote: Hi hackers! SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last '\0' it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in EstimateLibraryStateSpace()The last '\0' written isn't performed in relation to the size, but at a fixed index in the buffer: ... } start_address[0] = '\0'; How would that cause a buffer overflow? -- Daniel Gustafsson
-- David Geier (ServiceNow)
