From 4301803a0231d0a42bc1fc1230fa250098c01dc3 Mon Sep 17 00:00:00 2001 From: Kevin Day Date: Mon, 28 Sep 2020 21:44:18 -0500 Subject: [PATCH] Bugfix: the fl_string_dynamic_terminate() function is not correctly checking the NULL. In the case of when the array is not allocated (size == 0), the terminate is still checking the string index. This is an invalid read. Also, the logic is revered on the string index read. The check needs to be "!0" instead of "0". --- level_1/fl_string/c/string.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/level_1/fl_string/c/string.c b/level_1/fl_string/c/string.c index 6cc775c..ddd83af 100644 --- a/level_1/fl_string/c/string.c +++ b/level_1/fl_string/c/string.c @@ -1090,9 +1090,13 @@ extern "C" { if (destination->used > destination->size) return F_status_set_error(F_parameter); #endif // _di_level_1_parameter_checking_ - if (!destination->used && destination->string[destination->used - 1]) return F_none; + if (!destination->used && destination->size && !destination->string[destination->used - 1]) { + return F_none; + } - if (destination->used == f_string_length_t_size) return F_status_set_error(F_string_too_large); + if (destination->used == f_string_length_t_size) { + return F_status_set_error(F_string_too_large); + } const f_string_length_t total = destination->used + 1; @@ -1124,7 +1128,9 @@ extern "C" { } // for } - if (destination->used == f_string_length_t_size) return F_status_set_error(F_string_too_large); + if (destination->used == f_string_length_t_size) { + return F_status_set_error(F_string_too_large); + } const f_string_length_t total = destination->used + 1; -- 1.8.3.1