[evolution-patches] eds buffer overflow

From: Not Zed <notzed ximian com>
To: evolution-patches lists ximian com
Subject: [evolution-patches] eds buffer overflow
Date: Mon, 02 Aug 2004 15:29:25 +0800

it could write beyond the end of the allocation before allocating more.

Michael Zucchi <notzed ximian com>
"born to die, live to work, it's all downhill from here"
Novell's Evolution and Free Software Developer

Index: calendar/libical/ChangeLog
===================================================================
RCS file: /cvs/gnome/libical/ChangeLog,v
retrieving revision 1.163
diff -u -3 -r1.163 ChangeLog
--- calendar/libical/ChangeLog	13 May 2004 03:54:39 -0000	1.163
+++ calendar/libical/ChangeLog	2 Aug 2004 07:29:48 -0000
@@ -1,3 +1,8 @@
+2004-08-02  Not Zed  <NotZed Ximian com>
+
+	* src/libicalvcal/vcc.y: re-alloc when we reach the buffer length,
+	not one past it.  Fixes an ABW.
+
 2004-05-13  Phil Goembel <phil-goembel wi rr com>
 
 	* src/libical/icalparser.c (icalparser_get_line): accept tab and
Index: calendar/libical/src/libicalvcal/vcc.y
===================================================================
RCS file: /cvs/gnome/libical/src/libicalvcal/vcc.y,v
retrieving revision 1.8
diff -u -3 -r1.8 vcc.y
--- calendar/libical/src/libicalvcal/vcc.y	12 Feb 2004 20:14:12 -0000	1.8
+++ calendar/libical/src/libicalvcal/vcc.y	2 Aug 2004 07:29:49 -0000
@@ -619,7 +619,7 @@
     /* append up to zero termination */
     if (c == 0) return;
     lexBuf.strsLen++;
-    if (lexBuf.strsLen > lexBuf.maxToken) {
+    if (lexBuf.strsLen >= lexBuf.maxToken) {
 	/* double the token string size */
 	lexBuf.maxToken <<= 1;
 	lexBuf.strs = (char*) realloc(lexBuf.strs,(size_t)lexBuf.maxToken);

Follow-Ups:
- Re: [evolution-patches] eds buffer overflow
  - From: Rodrigo Moya
- Re: [evolution-patches] eds buffer overflow
  - From: Not Zed

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]