Re: [PATCH] Fix off-by-one buffer overflow in getdelim

[Rich Felker <dalias@libc.org>]

[-- Attachment #1: Type: text/plain, Size: 1283 bytes --]

On Sat, Oct 24, 2015 at 10:43:39PM +0200, Felix Janda wrote:
> when deciding whether to resize the buffer, the terminating null byte
> was not taken into account
> ---
>  src/stdio/getdelim.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/src/stdio/getdelim.c b/src/stdio/getdelim.c
> index a88c393..3077490 100644
> --- a/src/stdio/getdelim.c
> +++ b/src/stdio/getdelim.c
> @@ -27,7 +27,7 @@ ssize_t getdelim(char **restrict s, size_t *restrict n, int delim, FILE *restric
>  	for (;;) {
>  		z = memchr(f->rpos, delim, f->rend - f->rpos);
>  		k = z ? z - f->rpos + 1 : f->rend - f->rpos;
> -		if (i+k >= *n) {
> +		if (i+k+1 >= *n) {
>  			if (k >= SIZE_MAX/2-i) goto oom;
>  			*n = i+k+2;
>  			if (*n < SIZE_MAX/4) *n *= 2;
> -- 
> 2.4.9

I think you're mistaken. i+k is the space needed so far in the buffer
(not counting the terminating null byte) and *n is the usable space.
The equality case of the i+k >= *n conditional covers the need to
expand the buffer when the new content of length k would exactly fit
but would not leave room for null termination.

Just to make sure I wrote a quick test program, which I've attached,
that should crash in free if the overflow occurs. It does not crash
and the output demonstrates correct resizing.

Rich

[-- Attachment #2: getdelim.c --]
[-- Type: text/plain, Size: 422 bytes --]

#include <stdio.h>
#include <stdlib.h>
#include <malloc.h>

int main()
{
	int i;
	FILE *f = tmpfile();
	putc('\n', f);
	for (i=1; i<32; i++) {
		fseek(f, -1, SEEK_END);
		fputs("x\n", f);
		rewind(f);
		ungetc(getc(f), f);
		size_t n = i+1;
		char *s = malloc(n);;
		printf("%zu %zu ", n, malloc_usable_size(s));
		size_t ret = getline(&s, &n, f);
		printf("%zu %zu %zu\n", ret, n, malloc_usable_size(s));
		free(s);
	}
}