Fix a bug in prof_dump_write
The original logic can be disastrous if `PROF_DUMP_BUFSIZE` is less than `slen` -- `prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE` would always be `false`, so `memcpy` would always try to copy `PROF_DUMP_BUFSIZE - prof_dump_buf_end` chars, which can be dangerous: in the last round of the `while` loop it would not only illegally read the memory beyond `s` (which might not always be disastrous), but it would also illegally overwrite the memory beyond `prof_dump_buf` (which can be pretty disastrous). `slen` probably has never gone beyond `PROF_DUMP_BUFSIZE` so we were just lucky.
This commit is contained in:
parent
d26636d566
commit
e0a0c8d4bf
@ -1292,7 +1292,7 @@ prof_dump_write(bool propagate_err, const char *s) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (prof_dump_buf_end + slen <= PROF_DUMP_BUFSIZE) {
|
if (prof_dump_buf_end + slen - i <= PROF_DUMP_BUFSIZE) {
|
||||||
/* Finish writing. */
|
/* Finish writing. */
|
||||||
n = slen - i;
|
n = slen - i;
|
||||||
} else {
|
} else {
|
||||||
|
Loading…
Reference in New Issue
Block a user