Buffer overflow when wrongly using `memcpy`
|Reported by:||arya_lee||Owned by:|
|Keywords:||buffer overflow, memcpy||Cc:||arya_lee|
|Component version:||Operating system type:|
|Operating system version:|
In the latest source code /tests/dirparsertest.cpp, there is a buffer overflow in function DirectoryListingParserTest::testIndividual().
len is the length of entry.data, not including the null character. So the sizeof(data) is len. According to the reference of memcpyhttp://www.cplusplus.com/reference/cstring/memcpy/, we need to make sure the 1st parameter of memcpy is larger than strlen(2nd parameter)+1(1 means the null-character.) So we should change 1475 to char* data = new char[len+1]; data[len]=0;
To avoid overflows, the size of the array pointed by destination shall be long enough to contain the same C string as source (including the terminating null character), and should not overlap in memory with source.
1474 size_t const len = entry.data.size(); 1475 char* data = new char[len]; 1476 memcpy(data, entry.data.c_str(), len);