Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
Fix read off end of array due to bad pointer math in getworkingpath f… #4258
@VictorSCushman and I came across this issue with help from Valgrind
The problem is reproducible by creating a basic application using the library to download a file from a url of this pattern: scp://user@host/~/* and running it through valgrind memcheck on Ubuntu 18.04. The actual error is an "invalid read of size 1"
We narrowed it down to this line below. Here's an explanation of our reasoning:
Given working_path as "/~/file.txt", working_path_len is calculated as 11 and real_path is a buffer allocated with a size of 12 (working_path_len + 1 for null terminator).
The memcpy below takes working_path + 3 as its source to strip the "/~/" leaving just "file.txt" which is of size 8 + 1 for null terminator. Therefore the length that should be memcopied should be 9 but below the length will be (4 + 11 - 3 = 12) and we will read off the end of working_path since our source pointer is actually working_path + 3 and our length is the full length of working_path including null terminator
I've tested this fix and it works fine for me and stops valgrind from complaining. Are there any problems that could be caused by this fix that my testing could have missed?