Please sign in to comment.
Bug #20359808 - OUT OF BOUNDS WRITE (OFF BY ONE)
DESCRIPTION =========== /strings/ctype.c: In cs_value() for one of the cases (Rules: Context), the length check condition is flawed. With current behaviour it allows the program to write even if length of "attribute" is equal to size of "context" which results in memory corruption. This happens since the extra terminating NULL is written at the start of the adjacent variable. ANALYSIS ======== The program should allow to write it only if the length of former is less than size of latter. So the "+ 1" should be dropped from the following condition: if (len < sizeof(i->context) + 1) In the regular scenario when program writes well within its boundary, this corruption doesn't happen. FIX === Dropped "+ 1" from the condition so that the required check is made correctly.
- Loading branch information...