[ogg-dev] [PATCH] skeleton.c
ogg.k.ogg.k at googlemail.com
ogg.k.ogg.k at googlemail.com
Wed Feb 6 02:50:55 PST 2008
> but i think the off-by-one check for snprintf is not necessary -- the
> intention is not to write a trailing NUL as this function is used to
> incrementally add lines of text to a buffer.
I've had a second look, and I believe there really was a bug there,
though my patch may not be optimal.
As an example of an off by one bug:
On the first run through the code, message_header_fields will be NULL,
so _ogg_calloc will be called. Assume header_key and header_value
are both "X", so strlen of each is 1. message_size will then by 6, and a
block of 6 bytes is callocated.
Then snprintf is called with a byte limit of message_size+1 (7, one more
than the allocated size), with the string "X: X\r\n", 6 characters and a
terminating NULL. 7 bytes will be written, overwrite.
Or am I missing a trick here ?
More information about the ogg-dev
mailing list