Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Don't read beyond the end of buffers

Fixes an off-by-one error in libbdelta where one token too many was being read from the end of a buffer, and could cause a crash when the buffer was user-supplied.
  • Loading branch information...
commit 545ddd4ef23e792f246ba6d76c9efd8c1bd02d8b 1 parent 3c6ba6e
John Whitney authored
Showing with 4 additions and 1 deletion.
  1. +4 −1 src/libbdelta.cpp
View
5 src/libbdelta.cpp
@@ -182,7 +182,7 @@ void findMatches(BDelta_Instance *b, Checksums_Instance *h, unsigned minMatchSiz
*outbuf;
Hash hash = Hash(inbuf, blocksize);
unsigned buf_loc = blocksize;
- for (unsigned j = start + blocksize; j <= end; ++j) {
+ for (unsigned j = start + blocksize; ; ++j) {
unsigned thisTableIndex = h->tableIndex(hash.getValue());
checksum_entry *c = h->htable[thisTableIndex];
if (c) {
@@ -242,6 +242,9 @@ void findMatches(BDelta_Instance *b, Checksums_Instance *h, unsigned minMatchSiz
inbuf = b->read2(outbuf == buf1 ? buf2 : buf1, j, std::min(end - j, blocksize));
}
+ if (j >= end)
+ break;
+
hash.advance(outbuf[buf_loc], inbuf[buf_loc]);
++buf_loc;
}
Please sign in to comment.
Something went wrong with that request. Please try again.