From 12a6f3e055d25481f50c6bde100fdd861da7fbe8 Mon Sep 17 00:00:00 2001 From: Hallvard Furuseth Date: Wed, 29 Jul 2009 14:57:09 +0000 Subject: [PATCH] ITS#6215: Fix buffer overrun and write through NULL pointer --- libraries/liblber/io.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/libraries/liblber/io.c b/libraries/liblber/io.c index a3e65ba696..39399b645f 100644 --- a/libraries/liblber/io.c +++ b/libraries/liblber/io.c @@ -129,9 +129,13 @@ ber_realloc( BerElement *ber, ber_len_t len ) char *oldbuf; assert( ber != NULL ); - assert( len > 0 ); assert( LBER_VALID( ber ) ); + /* leave room for ber_flatten() to \0-terminate ber_buf */ + if ( ++len == 0 ) { + return( -1 ); + } + total = ber_pvt_ber_total( ber ); #define LBER_EXBUFSIZ 4060 /* a few words less than 2^N for binary buddy */ @@ -415,10 +419,13 @@ int ber_flatten2( return -1; } AC_MEMCPY( bv->bv_val, ber->ber_buf, len ); - } else { + bv->bv_val[len] = '\0'; + } else if ( ber->ber_buf != NULL ) { bv->bv_val = ber->ber_buf; + bv->bv_val[len] = '\0'; + } else { + bv->bv_val = ""; } - bv->bv_val[len] = '\0'; bv->bv_len = len; } return 0; -- 2.39.5