diff options
| author | Yinan Zhang <zyn8950@gmail.com> | 2019-06-04 23:34:29 (GMT) |
|---|---|---|
| committer | Qi Wang <interwq@gmail.com> | 2019-07-16 22:15:32 (GMT) |
| commit | e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f (patch) | |
| tree | cb14aadd5a784500a7065ecd664fdd84e7b6dc8b | |
| parent | d26636d566167a439ea18da7a234f9040668023b (diff) | |
| download | jemalloc-e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f.zip jemalloc-e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f.tar.gz jemalloc-e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f.tar.bz2 | |
Fix a bug in prof_dump_write
The original logic can be disastrous if `PROF_DUMP_BUFSIZE` is less
than `slen` -- `prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE` would
always be `false`, so `memcpy` would always try to copy
`PROF_DUMP_BUFSIZE - prof_dump_buf_end` chars, which can be
dangerous: in the last round of the `while` loop it would not only
illegally read the memory beyond `s` (which might not always be
disastrous), but it would also illegally overwrite the memory beyond
`prof_dump_buf` (which can be pretty disastrous). `slen` probably
has never gone beyond `PROF_DUMP_BUFSIZE` so we were just lucky.
| -rw-r--r-- | src/prof.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -1292,7 +1292,7 @@ prof_dump_write(bool propagate_err, const char *s) { } } - if (prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE) { + if (prof_dump_buf_end + slen - i <= PROF_DUMP_BUFSIZE) { /* Finish writing. */ n = slen - i; } else { |