Skip to content

Commit

Permalink
Fix out of bounds memory access (off by one)
Browse files Browse the repository at this point in the history 
If fgets reads a line that only contains a `\n`, then the pointer `eol`
will point to the first byte in that buffer. The subsequent dereference
of `*(eol -1 )` will access the byte before that buffer.

This fix makes sure that that length of the current line read by fgets
is at least 2 bytes long.

Signed-off-by: Max Kunzelmann <max@mxzero.net>
Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
  • Loading branch information
Max Kunzelmann authored and Lukas Fleischer committed Dec 14, 2023
1 parent 80cd8af commit aa5ff07
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/ical.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -691,7 +691,7 @@ static int ical_readline(FILE * fdi, char *buf, char *lstore, unsigned *ln)
while (fgets(lstore, BUFSIZ, fdi) != NULL) {
(*ln)++;
if ((eol = strchr(lstore, '\n')) != NULL) {
if (*(eol - 1) == '\r')
if (strlen(lstore) > 1 && *(eol - 1) == '\r')
*(eol - 1) = '\0';
else
*eol = '\0';
Expand Down

0 comments on commit aa5ff07

Please sign in to comment.