diff options
author | Jo-Philipp Wich <jo@mein.io> | 2022-03-14 14:40:18 +0100 |
---|---|---|
committer | Jo-Philipp Wich <jo@mein.io> | 2022-03-14 14:40:18 +0100 |
commit | 73dcd7837023939063ad89681c8d4e7392a310fe (patch) | |
tree | 8d50b4e8856fdd992ab690cccad947873016a4db /tests/custom/03_stdlib/31_arrtoip | |
parent | 8fd4746da31b945a6259ac846f7cf8dcfef0b1ef (diff) |
lib: fix potential integer underflow on empty render output
The current `uc_render()` implementation uses a `fseek()` call on the
`open_memstream()` provided `FILE *` stream to reserve headroom for the
`uc_string_t` header. The `fseek()` call alone does not guarantee that
the underlying buffer length is updated on all libc implementations though.
This may lead to an integer underflow later on when the `uc_string_t`
header length is substracted from the buffer length after invoking a
template that did not produce any output write operations. In such a
case, a very large value is assigned to `ustr->length` leading to
uninitialized or out-of-bounds memory accesses later on.
Solve this issue by writing the header structure as data using `fwrite()`
which should yield the expected behaviour on all libc environments.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'tests/custom/03_stdlib/31_arrtoip')
0 files changed, 0 insertions, 0 deletions