romenskiy2012/jemalloc
1
0
Fork 0
mirror of https://github.com/jemalloc/jemalloc.git synced 2026-04-14 22:51:50 +03:00
Code Issues Projects Releases Packages Wiki Activity

Fix out-of-bounds write in malloc_vsnprintf when size is 0

Browse source 
When called with size==0, the else branch wrote to str[size-1] which
is str[(size_t)-1], a massive out-of-bounds write. Standard vsnprintf
allows size==0 to mean "compute length only, write nothing".

Add unit test for the size==0 case.
This commit is contained in:
Slobodan Predolac 2026-03-27 10:02:59 -07:00
parent eab2b29736
commit c2d57040f0
2 changed files with 20 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/malloc_io.c
View file

@ -692,7 +692,7 @@ malloc_vsnprintf(char *str, size_t size, const char *format, va_list ap) {
label_out:
if (i < size) {
str[i] = '\0';
} else {
} else if (size != 0) {
str[size - 1] = '\0';
}