mirror of
https://github.com/jemalloc/jemalloc.git
synced 2026-07-16 05:37:18 +03:00
Fix a bug in prof_dump_write
The original logic can be disastrous if `PROF_DUMP_BUFSIZE` is less than `slen` -- `prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE` would always be `false`, so `memcpy` would always try to copy `PROF_DUMP_BUFSIZE - prof_dump_buf_end` chars, which can be dangerous: in the last round of the `while` loop it would not only illegally read the memory beyond `s` (which might not always be disastrous), but it would also illegally overwrite the memory beyond `prof_dump_buf` (which can be pretty disastrous). `slen` probably has never gone beyond `PROF_DUMP_BUFSIZE` so we were just lucky.
This commit is contained in:
parent
d26636d566
commit
e0a0c8d4bf
1 changed files with 1 additions and 1 deletions
|
|
@ -1292,7 +1292,7 @@ prof_dump_write(bool propagate_err, const char *s) {
|
|||
}
|
||||
}
|
||||
|
||||
if (prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE) {
|
||||
if (prof_dump_buf_end + slen - i <= PROF_DUMP_BUFSIZE) {
|
||||
/* Finish writing. */
|
||||
n = slen - i;
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue