diff options
| author | tjr <tjr@FreeBSD.org> | 2003-11-02 23:20:24 +0000 |
|---|---|---|
| committer | tjr <tjr@FreeBSD.org> | 2003-11-02 23:20:24 +0000 |
| commit | 83375877b4b96929e9132ad10789d094de19422e (patch) | |
| tree | eccd2bbe1da2bd25065402a47af0f8e2e1ea763a /usr.bin/sed | |
| parent | 7c072fe20ea68fd4acd0ea5c656690529b57a7ea (diff) | |
| download | FreeBSD-src-83375877b4b96929e9132ad10789d094de19422e.zip FreeBSD-src-83375877b4b96929e9132ad10789d094de19422e.tar.gz | |
Change the buffer length test in NEEDSP() so that it does not
subtract one unsigned number from another potentially smaller
one, leading to wraparound (and heap corruption, eventually).
PR: 58813
MFC after: 2 weeks
Diffstat (limited to 'usr.bin/sed')
| -rw-r--r-- | usr.bin/sed/process.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/usr.bin/sed/process.c b/usr.bin/sed/process.c index d0fac86..93019b4 100644 --- a/usr.bin/sed/process.c +++ b/usr.bin/sed/process.c @@ -557,7 +557,8 @@ regsub(sp, string, src) char c, *dst; #define NEEDSP(reqlen) \ - if (sp->len >= sp->blen - (reqlen) - 1) { \ + /* XXX What is the +1 for? */ \ + if (sp->len + (reqlen) + 1 >= sp->blen) { \ sp->blen += (reqlen) + 1024; \ if ((sp->space = sp->back = realloc(sp->back, sp->blen)) \ == NULL) \ |
