[vbox-dev] Bug report (medium)
Frank Mehnert
Frank.Mehnert at Sun.COM
Mon May 3 12:38:11 GMT 2010
On Saturday 01 May 2010, Frank Mehnert wrote:
> On Saturday 01 May 2010, TwoThe wrote:
> > Type: Bug
> > Severity: medium
> > Component: VirtualBox OSE
> > Host: Ubuntu 64
> >
> > In file src/libs/xpcom18a4/xpcom/typelib/xpidl/xpidl_typelib.c:
> >
> > #417 annotation_len = strlen(annotation_format) +
> > strlen(state->basename) + 418 strlen(timestr);
> > 419 for (i = 0; i < HEADER(state)->num_interfaces; i++) {
> > [...]
> > 425 }
> > 426
> > !427 annotate_val = (char *) malloc(annotation_len);
> >
> > In line 417 the size of annotation_len is calculated and later (line 427)
> > used to allocate memory for a string, but there is not enough memory
> > reserved for the terminating 0 character. In line 418 there should be a
> > "+ 1" added to the calculation.
>
> Confirmed. Thanks for this report!
Actually this isn't a bug. I admit that this code is complicated
and quite ugly but in fact we allocate 3 bytes more than necessary
because we reserve space for two '%s' format specifiers which are
replaced by state->basename and timestr. So one of these 4 bytes
can hold the terminating '\0'.
Kind regards,
Frank
--
Dr.-Ing. Frank Mehnert
Sitz der Gesellschaft:
Sun Microsystems GmbH, Sonnenallee 1, 85551 Kirchheim-Heimstetten
Amtsgericht München: HRB 161028
Geschäftsführer: Jürgen Kunz
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part.
URL: <http://www.virtualbox.org/pipermail/vbox-dev/attachments/20100503/b38cbb68/attachment.sig>
More information about the vbox-dev
mailing list