Blame SOURCES/tigervnc-passwd-crash-with-malloc-checks.patch
|
 |
809922 |
From 5d834359bef6727df82cf4f2c2f3f255145f7785 Mon Sep 17 00:00:00 2001
|
|
|
809922 |
From: Jan Grulich <jgrulich@redhat.com>
|
|
|
809922 |
Date: Tue, 25 May 2021 14:18:48 +0200
|
|
|
809922 |
Subject: [PATCH] CharArray: pre-fill empty array with zeroes
|
|
|
809922 |
|
|
|
809922 |
CharArray should always be null-terminated. There is a potential
|
|
|
809922 |
scenario where this all might lead to crash. In Password we call
|
|
|
809922 |
memset(), passing length of the array we get with strlen(), but
|
|
|
809922 |
this won't return correct value when the array is not properly
|
|
|
809922 |
null-terminated.
|
|
|
809922 |
---
|
|
|
809922 |
common/rfb/util.h | 7 +++++--
|
|
|
809922 |
1 file changed, 5 insertions(+), 2 deletions(-)
|
|
|
809922 |
|
|
|
acbd46 |
diff --git a/common/rfb/util.h b/common/rfb/util.h
|
|
|
809922 |
index 3100f90fd..71caac426 100644
|
|
|
acbd46 |
--- a/common/rfb/util.h
|
|
|
acbd46 |
+++ b/common/rfb/util.h
|
|
|
809922 |
@@ -52,14 +52,17 @@ namespace rfb {
|
|
|
acbd46 |
CharArray(char* str) : buf(str) {} // note: assumes ownership
|
|
|
acbd46 |
CharArray(size_t len) {
|
|
|
acbd46 |
buf = new char[len]();
|
|
|
809922 |
+ memset(buf, 0, len);
|
|
|
acbd46 |
}
|
|
|
acbd46 |
~CharArray() {
|
|
|
acbd46 |
- delete [] buf;
|
|
|
acbd46 |
+ if (buf) {
|
|
|
acbd46 |
+ delete [] buf;
|
|
|
acbd46 |
+ }
|
|
|
acbd46 |
}
|
|
|
acbd46 |
void format(const char *fmt, ...) __printf_attr(2, 3);
|
|
|
acbd46 |
// Get the buffer pointer & clear it (i.e. caller takes ownership)
|
|
|
acbd46 |
char* takeBuf() {char* tmp = buf; buf = 0; return tmp;}
|
|
|
acbd46 |
- void replaceBuf(char* b) {delete [] buf; buf = b;}
|
|
|
acbd46 |
+ void replaceBuf(char* b) {if (buf) delete [] buf; buf = b;}
|
|
|
acbd46 |
char* buf;
|
|
|
acbd46 |
private:
|
|
|
acbd46 |
CharArray(const CharArray&);
|