Open
Bug 556299
Opened 15 years ago
Updated 3 years ago
secmod_doDescCopy miscomputes buffer size, leaks allocated string
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
NEW
People
(Reporter: timeless, Assigned: rrelyea)
References
()
Details
(Keywords: coverity)
275 secmod_doDescCopy(char *target, int *targetLen, const char *desc,
282 if (diff > 0) {
283 /* we need to escape... expand newSpecPtr as well to make sure
284 * we don't overflow it */
291 value = secmod_addEscape(value, '\"');
299 PORT_Memcpy(target, value, esc_len);
302 return target;
|
||
Comment 1•15 years ago
|
||
There's something else wrong in this function.
280 esc_len = secmod_escapeSize(value, '\"') - 1;
281 diff = esc_len - strlen(value);
282 if (diff > 0) {
283 /* we need to escape... expand newSpecPtr as well to make sure
284 * we don't overflow it */
285 char *newPtr = PORT_Realloc(target, *targetLen * diff);
^
'*' ? I think not. '+' I think. Maybe "+ something * diff".
Assignee: nobody → rrelyea
Severity: minor → normal
Priority: -- → P2
Summary: secmod_doDescCopy leaks secmod_addEscape(value,...) if diff > 0 → secmod_doDescCopy miscomputes buffer size, leaks allocated string
Version: trunk → 3.12.4
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•