这个是整数溢出的问题
programs/util.c
static char* mallocAndJoin2Dir(const char *dir1, const char *dir2)
{
assert(dir1 != NULL && dir2 != NULL);
{ const size_t dir1Size = strlen(dir1);
const size_t dir2Size = strlen(dir2);
char *outDirBuffer, *buffer;
当 (dir1Size + dir2Size +2) 的值溢出后,会变成一个小于实际需要的值(size_t 是unsigned long), 会导致后面的 mempcy 出错
outDirBuffer = (char *) malloc(dir1Size + dir2Size + 2);
CONTROL(outDirBuffer != NULL);
memcpy(outDirBuffer, dir1, dir1Size);
outDirBuffer[dir1Size] = '\0';
buffer = outDirBuffer + dir1Size;
if (dir1Size > 0 && *(buffer - 1) != PATH_SEP) {
*buffer = PATH_SEP;
buffer++;
}
memcpy(buffer, dir2, dir2Size);
buffer[dir2Size] = '\0';
return outDirBuffer;
}
}
这个是整数溢出的问题
programs/util.c