[reSIProcate] String handling problem in Data::append

Christian_Gavin at logitech.com Christian_Gavin at logitech.com
Tue Jul 12 17:18:53 CDT 2005

In Data.cxx, the following code:

Data::append(const char* str, size_type len)
   if (mCapacity < mSize + len)
      // .dlb. pad for future growth?
      resize(((mSize + len +16)*3)/2, true);
      if (mMine == Share)
         char *oldBuf = mBuf;
         mCapacity = mSize + len;
         mBuf = new char[mSize + len];
         memcpy(mBuf, oldBuf, mSize);
         mMine = Take;

   // could conceivably overlap
   memmove(mBuf + mSize, str, len);
   mSize += len;
   mBuf[mSize] = 0;                 // <<<<< problem here!!

   return *this;

Overwrites memory past the end of the string.

If mMine == Share, mBuf is allocated with mSize+len, then after mSize +=
len, mBuf[mSize] writes data past the last byte of the string.


More information about the resiprocate-devel mailing list