diff options
| author | Adrian Johnson <ajohnson@redneon.com> | 2023-01-03 15:08:48 +1030 |
|---|---|---|
| committer | Adrian Johnson <ajohnson@redneon.com> | 2023-01-03 15:27:05 +1030 |
| commit | 82aa3fb80eed9eb7f5b0225a89d33a08b269dd9f (patch) | |
| tree | c657f0d5183473ab37c37732a2b43f219cfa0452 /util | |
| parent | 5e0e40e3c53d253bb767606f847182f95a443547 (diff) | |
| download | cairo-82aa3fb80eed9eb7f5b0225a89d33a08b269dd9f.tar.gz | |
Fix bug in strndup implementation
The strlen() could go past the n bytes and into a memory address we
don't have read access to.
Diffstat (limited to 'util')
| -rw-r--r-- | util/cairo-missing/strndup.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/util/cairo-missing/strndup.c b/util/cairo-missing/strndup.c index 280ea3017..049802b76 100644 --- a/util/cairo-missing/strndup.c +++ b/util/cairo-missing/strndup.c @@ -37,15 +37,19 @@ char * strndup (const char *s, size_t n) { + const char *end; size_t len; char *sdup; if (s == NULL) return NULL; - len = strlen (s); - if (len > n) + end = memchr (s, 0, n); + if (end) + len = end - s; + else len = n; + sdup = (char *) _cairo_malloc (len + 1); if (sdup != NULL) { memcpy (sdup, s, len); |