< Previous by Date	Date Index	Next by Date >
	Thread Index

[reSIProcate] String handling problem in Data::append

From: Christian_Gavin@xxxxxxxxxxxx
Date: Tue, 12 Jul 2005 15:18:53 -0700

In Data.cxx, the following code:

Data&
Data::append(const char* str, size_type len)
{
   assert(str);
   if (mCapacity < mSize + len)
   {
      // .dlb. pad for future growth?
      resize(((mSize + len +16)*3)/2, true);
   }
   else
   {
      if (mMine == Share)
      {
         char *oldBuf = mBuf;
         mCapacity = mSize + len;
         mBuf = new char[mSize + len];
         memcpy(mBuf, oldBuf, mSize);
         mMine = Take;
      }
   }

   // could conceivably overlap
   memmove(mBuf + mSize, str, len);
   mSize += len;
   mBuf[mSize] = 0;                 // <<<<< problem here!!

   return *this;
}

Overwrites memory past the end of the string.

If mMine == Share, mBuf is allocated with mSize+len, then after mSize +=
len, mBuf[mSize] writes data past the last byte of the string.

CG

Prev by Date: [reSIProcate] Repro Question -- Domains
Next by Date: Re: [reSIProcate] String corruption?
Previous by thread: RE: [reSIProcate] Repro Question -- Domains
Next by thread: [reSIProcate] Open Source User Agent
Index(es):
- Date
- Thread