diff options
author | Daniel Stenberg <daniel@haxx.se> | 2008-10-13 21:39:12 +0000 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2008-10-13 21:39:12 +0000 |
commit | 6c2167b65fbbc315e57210c8bb982710fb9ddcf2 (patch) | |
tree | db00bb57e9f06502e98bc55cf5a84bca981213c7 | |
parent | 18be9882f7ed8eaac5052e096c3868906385c1f6 (diff) |
Prevent an off-by-one in a allocated buffer in glob_match_url() - detected by
coverity.com
-rw-r--r-- | src/urlglob.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/urlglob.c b/src/urlglob.c index 711a7e9f5..b133fb0e8 100644 --- a/src/urlglob.c +++ b/src/urlglob.c @@ -496,7 +496,8 @@ char *glob_match_url(char *filename, URLGlob *glob) * be longer than the URL we use. We allocate a good start size, then * we need to realloc in case of need. */ - allocsize=strlen(filename); + allocsize=strlen(filename)+1; /* make it at least one byte to store the + trailing zero */ target = malloc(allocsize); if(NULL == target) return NULL; /* major failure */ @@ -548,7 +549,9 @@ char *glob_match_url(char *filename, URLGlob *glob) } if(appendlen + stringlen >= allocsize) { char *newstr; - allocsize = (appendlen + stringlen)*2; + /* we append a single byte to allow for the trailing byte to be appended + at the end of this function outside the while() loop */ + allocsize = (appendlen + stringlen)*2 + 1; newstr=realloc(target, allocsize); if(NULL ==newstr) { free(target); |