#37: corrected buffer overflow in string allocation

2025-01-01 18:20:06 +01:00 · 2017-04-15 19:34:01 +02:00 · 2017-04-15 19:34:01 +02:00 · 050f66ce50
commit 050f66ce50
parent 8e6a2cedaf
2 changed files with 10 additions and 5 deletions
--- a/src/rpn-string.h
+++ b/src/rpn-string.h
@ -5,13 +5,17 @@ void instr()
    // stringify only if not already a string
    if (_stack->get_type(0) != cmd_string)
    {
+        // write the object in stack(0) in a string and remove this obj
        stringstream out;
        ((object*)_stack->back())->show(out);
        _stack->pop_back();

-        ostring str;
-        str.set(out.str().c_str(), out.str().size());
-        _stack->push_back(&str, str.size(), cmd_string);
+        // reserve the correct size in stack
+        _stack->push_back(NULL, out.str().size(), cmd_string, true);
+
+        // fill the obj
+        ostring* str = (ostring*)_stack->get_obj(0);
+        str->set(out.str().c_str(), out.str().size());
    }
 }

--- a/src/stack.h
+++ b/src/stack.h
@ -35,7 +35,7 @@ public:
    }   
    virtual ~stack() { free(_base); }

-    void push_back(void* obj, unsigned int size, int type = 0)
+    void push_back(void* obj, unsigned int size, int type = 0, bool dont_copy = false)
    {
        if (_current + size > _base + _total_size)
        {
@ -44,7 +44,8 @@ public:
            _base = (char*)realloc(_base, _total_size);
        }

-        memcpy(_current, obj, size);
+        if (!dont_copy)
+            memcpy(_current, obj, size);
        _vlen.push_back(size);
        _vpointer.push_back(_current);
        _vtype.push_back(type);