rshen/c-capnproto
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

lib: don't overrun buffer in capn_write_mem_packed

Browse source 
Missing braces end up scaling the offset by * 4 ... which is actually a
stack/heap overflow.
This commit is contained in:
David Lamparter 2016-06-27 16:03:03 +02:00
parent 0b128565c0
commit 33ae16bba8
1 changed files with 1 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

2
lib/capn-malloc.c
View file

@ -232,7 +232,7 @@ static int capn_write_mem_packed(struct capn *c, uint8_t *p, size_t sz)
root = capn_root(c); root = capn_root(c);
header_calc(c, &headerlen, &headersz); header_calc(c, &headerlen, &headersz);
header = (uint32_t*) p + headersz + 2; /* must reserve two bytes for worst case expansion */ header = (uint32_t*) (p + headersz + 2); /* must reserve two bytes for worst case expansion */
if (sz < headersz*2 + 2) /* We must have space for temporary writing of header to deflate */ if (sz < headersz*2 + 2) /* We must have space for temporary writing of header to deflate */
return -1; return -1;