mirror of
https://github.com/curl/curl.git
synced 2024-12-27 06:59:43 +08:00
strdup: don't allow Curl_strndup to read past a null terminator
- Use malloc + strncpy instead of Curl_memdup to dupe the string before
null terminating it.
Prior to this change if Curl_strndup was passed a length longer than
the allocated string then it could copy out of bounds.
This change is for posterity. Curl_strndup was added in the parent
commit and currently none of the calls to it pass a length that would
cause it to read past the allocated length of the input.
Follow-up to d3b3ba35
.
Closes https://github.com/curl/curl/pull/12254
This commit is contained in:
parent
d3b3ba35a5
commit
4855debd8a
14
lib/strdup.c
14
lib/strdup.c
@ -103,18 +103,20 @@ void *Curl_memdup(const void *src, size_t length)
|
||||
*
|
||||
* Curl_strndup(source, length)
|
||||
*
|
||||
* Copies the 'source' data to a newly allocated buffer (that is
|
||||
* returned). Copies 'length' bytes then adds a null terminator.
|
||||
* Copies the 'source' string to a newly allocated buffer (that is returned).
|
||||
* Copies not more than 'length' bytes then adds a null terminator.
|
||||
*
|
||||
* Returns the new pointer or NULL on failure.
|
||||
*
|
||||
***************************************************************************/
|
||||
void *Curl_strndup(const void *src, size_t length)
|
||||
{
|
||||
char *b = Curl_memdup(src, length + 1);
|
||||
if(b)
|
||||
b[length] = 0;
|
||||
return b;
|
||||
char *buf = malloc(length + 1);
|
||||
if(!buf)
|
||||
return NULL;
|
||||
strncpy(buf, src, length);
|
||||
buf[length] = 0;
|
||||
return buf;
|
||||
}
|
||||
|
||||
/***************************************************************************
|
||||
|
Loading…
Reference in New Issue
Block a user