diff options
| author | Joshua Haberman <jhaberman@gmail.com> | 2019-09-04 12:01:57 -0700 |
|---|---|---|
| committer | Joshua Haberman <jhaberman@gmail.com> | 2019-09-04 12:01:57 -0700 |
| commit | 555b60b0626bdcb6e0436625177c375f75664247 (patch) | |
| tree | 8e7b9d7cd583c2b4ab1b6dda705987957bdf71e5 | |
| parent | 2c869197700f5fd120dfbbb958ea460bc0dd4fef (diff) | |
A memory safety fix, found by ASAN.
We cannot assume that the input string is NULL-terminated,
or read past "len." Instead we manually NULL-terminate it.
| -rw-r--r-- | upb/table.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/upb/table.c b/upb/table.c index 13f8d81..8896d21 100644 --- a/upb/table.c +++ b/upb/table.c @@ -276,7 +276,8 @@ static upb_tabkey strcopy(lookupkey_t k2, upb_alloc *a) { char *str = upb_malloc(a, k2.str.len + sizeof(uint32_t) + 1); if (str == NULL) return 0; memcpy(str, &len, sizeof(uint32_t)); - memcpy(str + sizeof(uint32_t), k2.str.str, k2.str.len + 1); + memcpy(str + sizeof(uint32_t), k2.str.str, k2.str.len); + str[sizeof(uint32_t) + k2.str.len] = '\0'; return (uintptr_t)str; } |