Fossil SCM
Fix a problem introduced with [593ceca27d]: the blob resize operation may realloc the buffer, so obtain the pointer to the buffer only after the resize to avoid a "use after free".
Commit
36bcaaeee06e23aced66d2a94c4d237d4898f5b9ec8b6d7d1db4f7297179ec5a
Parent
d564056cce59a70…
1 file changed
+1
-1
+1
-1
| --- src/printf.c | ||
| +++ src/printf.c | ||
| @@ -850,12 +850,12 @@ | ||
| 850 | 850 | } |
| 851 | 851 | case etHEX: { |
| 852 | 852 | char *zArg = va_arg(ap, char*); |
| 853 | 853 | int szArg = (int)strlen(zArg); |
| 854 | 854 | int szBlob = blob_size(pBlob); |
| 855 | - u8 *aBuf = (u8*)&blob_buffer(pBlob)[szBlob]; | |
| 856 | 855 | blob_resize(pBlob, szBlob+szArg*2+1); |
| 856 | + u8 *aBuf = (u8*)&blob_buffer(pBlob)[szBlob]; | |
| 857 | 857 | encode16((const u8*)zArg, aBuf, szArg); |
| 858 | 858 | length = width = 0; |
| 859 | 859 | break; |
| 860 | 860 | } |
| 861 | 861 | case etERROR: |
| 862 | 862 |
| --- src/printf.c | |
| +++ src/printf.c | |
| @@ -850,12 +850,12 @@ | |
| 850 | } |
| 851 | case etHEX: { |
| 852 | char *zArg = va_arg(ap, char*); |
| 853 | int szArg = (int)strlen(zArg); |
| 854 | int szBlob = blob_size(pBlob); |
| 855 | u8 *aBuf = (u8*)&blob_buffer(pBlob)[szBlob]; |
| 856 | blob_resize(pBlob, szBlob+szArg*2+1); |
| 857 | encode16((const u8*)zArg, aBuf, szArg); |
| 858 | length = width = 0; |
| 859 | break; |
| 860 | } |
| 861 | case etERROR: |
| 862 |
| --- src/printf.c | |
| +++ src/printf.c | |
| @@ -850,12 +850,12 @@ | |
| 850 | } |
| 851 | case etHEX: { |
| 852 | char *zArg = va_arg(ap, char*); |
| 853 | int szArg = (int)strlen(zArg); |
| 854 | int szBlob = blob_size(pBlob); |
| 855 | blob_resize(pBlob, szBlob+szArg*2+1); |
| 856 | u8 *aBuf = (u8*)&blob_buffer(pBlob)[szBlob]; |
| 857 | encode16((const u8*)zArg, aBuf, szArg); |
| 858 | length = width = 0; |
| 859 | break; |
| 860 | } |
| 861 | case etERROR: |
| 862 |