summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorYinan Zhang <zyn8950@gmail.com>2019-06-04 23:34:29 (GMT)
committerQi Wang <interwq@gmail.com>2019-07-16 22:15:32 (GMT)
commite0a0c8d4bf512283e8c85fb4a51761fce5e0c08f (patch)
treecb14aadd5a784500a7065ecd664fdd84e7b6dc8b
parentd26636d566167a439ea18da7a234f9040668023b (diff)
downloadjemalloc-e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f.zip
jemalloc-e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f.tar.gz
jemalloc-e0a0c8d4bf512283e8c85fb4a51761fce5e0c08f.tar.bz2
Fix a bug in prof_dump_write
The original logic can be disastrous if `PROF_DUMP_BUFSIZE` is less than `slen` -- `prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE` would always be `false`, so `memcpy` would always try to copy `PROF_DUMP_BUFSIZE - prof_dump_buf_end` chars, which can be dangerous: in the last round of the `while` loop it would not only illegally read the memory beyond `s` (which might not always be disastrous), but it would also illegally overwrite the memory beyond `prof_dump_buf` (which can be pretty disastrous). `slen` probably has never gone beyond `PROF_DUMP_BUFSIZE` so we were just lucky.
-rw-r--r--src/prof.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/prof.c b/src/prof.c
index a4e30f4..4ebe279 100644
--- a/src/prof.c
+++ b/src/prof.c
@@ -1292,7 +1292,7 @@ prof_dump_write(bool propagate_err, const char *s) {
}
}
- if (prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE) {
+ if (prof_dump_buf_end + slen - i <= PROF_DUMP_BUFSIZE) {
/* Finish writing. */
n = slen - i;
} else {