Permalink
Browse files

Don't read beyond the end of buffers

Fixes an off-by-one error in libbdelta where one token too many was being read from the end of a buffer, and could cause a crash when the buffer was user-supplied.
  • Loading branch information...
1 parent 3c6ba6e commit 545ddd4ef23e792f246ba6d76c9efd8c1bd02d8b John Whitney committed Dec 4, 2012
Showing with 4 additions and 1 deletion.
  1. +4 −1 src/libbdelta.cpp
View
@@ -182,7 +182,7 @@ void findMatches(BDelta_Instance *b, Checksums_Instance *h, unsigned minMatchSiz
*outbuf;
Hash hash = Hash(inbuf, blocksize);
unsigned buf_loc = blocksize;
- for (unsigned j = start + blocksize; j <= end; ++j) {
+ for (unsigned j = start + blocksize; ; ++j) {
unsigned thisTableIndex = h->tableIndex(hash.getValue());
checksum_entry *c = h->htable[thisTableIndex];
if (c) {
@@ -242,6 +242,9 @@ void findMatches(BDelta_Instance *b, Checksums_Instance *h, unsigned minMatchSiz
inbuf = b->read2(outbuf == buf1 ? buf2 : buf1, j, std::min(end - j, blocksize));
}
+ if (j >= end)
+ break;
+
hash.advance(outbuf[buf_loc], inbuf[buf_loc]);
++buf_loc;
}

0 comments on commit 545ddd4

Please sign in to comment.