mirrors/janet
1
0
Fork 0
mirror of https://github.com/janet-lang/janet synced 2025-10-24 12:17:41 +00:00
Code Issues 1 Releases Wiki Activity

Address similar issue to #86

Browse Source 
buffer/blit could trigger a use after free if a buffer is
blitted with itself and modifies its length.
This commit is contained in:
Calvin Rose
2019-05-08 08:55:43 -04:00
parent ff720f1320
commit 65ac17986a
2 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/core/buffer.c
View File

@@ -296,6 +296,7 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
janet_arity(argc, 2, 5);
JanetBuffer *dest = janet_getbuffer(argv, 0);
JanetByteView src = janet_getbytes(argv, 1);
int same_buf = src.bytes == dest->data;
int32_t offset_dest = 0;
int32_t offset_src = 0;
if (argc > 2)
@@ -314,6 +315,7 @@ static Janet cfun_buffer_blit(int32_t argc, Janet *argv) {
if (last > INT32_MAX)
janet_panic("buffer blit out of range");
janet_buffer_ensure(dest, (int32_t) last, 2);
if (same_buf) src.bytes = dest->data;
if (last > dest->count) dest->count = (int32_t) last;
memcpy(dest->data + offset_dest, src.bytes + offset_src, length_src);
return argv[0];