diff options
| author | ljusten <ljusten@google.com> | 2020-09-21 17:52:58 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-09-21 17:52:58 +0200 |
| commit | d89f2cd4714f717e6cc5468c6066e18f22b5fea6 (patch) | |
| tree | d95720a5aff85f6d8dd13d8f05bb5c44c7865b7f | |
| parent | d1938c387e86ab5bbf7cb2e84244229c5bbd5ebf (diff) | |
| download | librsync-d89f2cd4714f717e6cc5468c6066e18f22b5fea6.tar.gz | |
Fix heap corruption from too small kbloom
kbloom is a bitmask with 'size2' bits, where 'size2' is the next power of 2 of 'size'. Thus, if 'size' is smaller than 4, 'size2' is smaller than 8, so that size2 / 8 == 0 and calloc allocates 0 bytes. This causes heap corruption when kbloom is subsequently written to. See discussion on https://groups.google.com/g/librsync/c/vmqzQS1QjIw.
| -rw-r--r-- | src/hashtable.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/hashtable.c b/src/hashtable.c index 4ffd9bf..ff3f29c 100644 --- a/src/hashtable.c +++ b/src/hashtable.c @@ -52,7 +52,7 @@ hashtable_t *_hashtable_new(int size) t->count = 0; t->tmask = size2 - 1; #ifndef HASHTABLE_NBLOOM - if (!(t->kbloom = calloc(size2 / 8, sizeof(unsigned char)))) { + if (!(t->kbloom = calloc((size2 + 7) / 8, sizeof(unsigned char)))) { _hashtable_free(t); return NULL; } |