From 33ae16bba852e5746ec42f67dd080b0e49327c29 Mon Sep 17 00:00:00 2001 From: David Lamparter Date: Mon, 27 Jun 2016 16:03:03 +0200 Subject: [PATCH] lib: don't overrun buffer in capn_write_mem_packed Missing braces end up scaling the offset by * 4 ... which is actually a stack/heap overflow. --- lib/capn-malloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/capn-malloc.c b/lib/capn-malloc.c index a97ec16..6cfcea3 100644 --- a/lib/capn-malloc.c +++ b/lib/capn-malloc.c @@ -232,7 +232,7 @@ static int capn_write_mem_packed(struct capn *c, uint8_t *p, size_t sz) root = capn_root(c); header_calc(c, &headerlen, &headersz); - header = (uint32_t*) p + headersz + 2; /* must reserve two bytes for worst case expansion */ + header = (uint32_t*) (p + headersz + 2); /* must reserve two bytes for worst case expansion */ if (sz < headersz*2 + 2) /* We must have space for temporary writing of header to deflate */ return -1;