pike.git/ src/ array.c

2008-07-24

2008-07-24 14:47:47 by Henrik Grubbström (Grubba) <grubba@grubba.org>

• 463c389ce76dd705db430902ca1de1331c284fb8 (7 lines) (+5/-2) ^{[ Show | Annotate ]}
  Branch: 7.9

Fixed buffer overwrite in add_arrays().

Rev: src/array.c:1.220

2:   || This file is part of Pike. For copyright information see COPYRIGHT.   || Pike is distributed under GPL, LGPL and MPL. See the file COPYING   || for more information. - || $Id: array.c,v 1.219 2008/07/21 14:02:12 grubba Exp $ + || $Id: array.c,v 1.220 2008/07/24 14:47:47 grubba Exp $   */      #include "global.h"
1605: Inside #if 1
   v=argp[e].u.array;    if(v->refs == 1 && v->malloced_size >= size)    { -  if ((v->item - v->real_item) >= tmp) { +  if (((v->item - v->real_item) >= tmp) && +  ((v->item + size) <= (v->real_item + v->malloced_size))) { +  /* There's enough space before and after. */    debug_malloc_touch(v);    mark_free_svalue(argp + e);    for(tmp=e-1;tmp>=0;tmp--)