linebuf: Fix possible memory corruption when receiving many CR/LF.

The last byte of balloc.c's block pointer could be changed from 10 or 13 to
0. On amd64, this is not possible. On i386, this is possible and usually
causes a crash soon.
This commit is contained in:
Jilles Tjoelker 2014-10-10 23:56:16 +02:00
parent 5d4a99540b
commit 1c864688bb

View file

@ -224,7 +224,8 @@ rb_linebuf_copy_line(buf_head_t * bufhead, buf_line_t * bufline, char *data, int
/* This is the ~overflow case..This doesn't happen often.. */ /* This is the ~overflow case..This doesn't happen often.. */
if(cpylen > (BUF_DATA_SIZE - bufline->len - 1)) if(cpylen > (BUF_DATA_SIZE - bufline->len - 1))
{ {
memcpy(bufch, ch, (BUF_DATA_SIZE - bufline->len - 1)); cpylen = BUF_DATA_SIZE - bufline->len - 1;
memcpy(bufch, ch, cpylen);
bufline->buf[BUF_DATA_SIZE - 1] = '\0'; bufline->buf[BUF_DATA_SIZE - 1] = '\0';
bufch = bufline->buf + BUF_DATA_SIZE - 2; bufch = bufline->buf + BUF_DATA_SIZE - 2;
while(cpylen && (*bufch == '\r' || *bufch == '\n')) while(cpylen && (*bufch == '\r' || *bufch == '\n'))