From aa5ff07b61b6bd9db948cd6541bed3cd44f25924 Mon Sep 17 00:00:00 2001 From: Max Kunzelmann Date: Sat, 11 Nov 2023 21:28:03 +0100 Subject: Fix out of bounds memory access (off by one) If fgets reads a line that only contains a `\n`, then the pointer `eol` will point to the first byte in that buffer. The subsequent dereference of `*(eol -1 )` will access the byte before that buffer. This fix makes sure that that length of the current line read by fgets is at least 2 bytes long. Signed-off-by: Max Kunzelmann Signed-off-by: Lukas Fleischer --- src/ical.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ical.c b/src/ical.c index 6d2d8d2..a8ce0a4 100644 --- a/src/ical.c +++ b/src/ical.c @@ -691,7 +691,7 @@ static int ical_readline(FILE * fdi, char *buf, char *lstore, unsigned *ln) while (fgets(lstore, BUFSIZ, fdi) != NULL) { (*ln)++; if ((eol = strchr(lstore, '\n')) != NULL) { - if (*(eol - 1) == '\r') + if (strlen(lstore) > 1 && *(eol - 1) == '\r') *(eol - 1) = '\0'; else *eol = '\0'; -- cgit v1.2.3-70-g09d2