[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnulib-bug
Subject:    [PATCH] human: fix output buffer overrun by 1
From:       Paul Eggert <eggert () cs ! ucla ! edu>
Date:       2015-12-31 21:17:50
Message-ID: 1451596670-13001-1-git-send-email-eggert () cs ! ucla ! edu
[Download RAW message or body]

* lib/human.c (human_readable): Fix off-by-one typo in buffer
calculation that could lead to a one-byte buffer overrun.
---
 ChangeLog   | 6 ++++++
 lib/human.c | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index da7e48d..8a919ba 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-31  Paul Eggert  <eggert@cs.ucla.edu>
+
+	human: fix output buffer overrun by 1
+	* lib/human.c (human_readable): Fix off-by-one typo in buffer
+	calculation that could lead to a one-byte buffer overrun.
+
 2015-12-28  Daiki Ueno  <ueno@gnu.org>
 
 	maint: fix operator precedence in mbrtowc test
diff --git a/lib/human.c b/lib/human.c
index 7863f9c..767aaec 100644
--- a/lib/human.c
+++ b/lib/human.c
@@ -185,7 +185,8 @@ human_readable (uintmax_t n, char *buf, int opts,
   if (strlen (l->thousands_sep) <= MB_LEN_MAX)
     thousands_sep = l->thousands_sep;
 
-  psuffix = buf + LONGEST_HUMAN_READABLE - HUMAN_READABLE_SUFFIX_LENGTH_MAX;
+  /* Leave room for a trailing space and following suffix.  */
+  psuffix = buf + LONGEST_HUMAN_READABLE - 1 - HUMAN_READABLE_SUFFIX_LENGTH_MAX;
   p = psuffix;
 
   /* Adjust AMT out of FROM_BLOCK_SIZE units and into TO_BLOCK_SIZE
-- 
2.5.0


[prev in list] [next in list] [prev in thread] [next in thread]