diff options
| author | Max Kunzelmann <max@mxzero.net> | 2023-11-11 21:28:03 +0100 |
|---|---|---|
| committer | Lukas Fleischer <lfleischer@calcurse.org> | 2023-12-14 13:17:24 +0100 |
| commit | aa5ff07b61b6bd9db948cd6541bed3cd44f25924 (patch) | |
| tree | 2c04d3fd22784b15623aae8e8bead30a921c7245 | |
| parent | 80cd8af9567bf2ddeb017ea738de0adb4fba2543 (diff) | |
| download | calcurse-aa5ff07b61b6bd9db948cd6541bed3cd44f25924.tar.gz calcurse-aa5ff07b61b6bd9db948cd6541bed3cd44f25924.zip | |
Fix out of bounds memory access (off by one)
If fgets reads a line that only contains a `\n`, then the pointer `eol`
will point to the first byte in that buffer. The subsequent dereference
of `*(eol -1 )` will access the byte before that buffer.
This fix makes sure that that length of the current line read by fgets
is at least 2 bytes long.
Signed-off-by: Max Kunzelmann <max@mxzero.net>
Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
| -rw-r--r-- | src/ical.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -691,7 +691,7 @@ static int ical_readline(FILE * fdi, char *buf, char *lstore, unsigned *ln) while (fgets(lstore, BUFSIZ, fdi) != NULL) { (*ln)++; if ((eol = strchr(lstore, '\n')) != NULL) { - if (*(eol - 1) == '\r') + if (strlen(lstore) > 1 && *(eol - 1) == '\r') *(eol - 1) = '\0'; else *eol = '\0'; |