Fix buffer overflow when manipulating extensions string.

author José Fonseca <jfonseca@vmware.com>

Thu, 27 Oct 2011 12:23:17 +0000 (13:23 +0100)

committer José Fonseca <jfonseca@vmware.com>

Thu, 27 Oct 2011 12:23:17 +0000 (13:23 +0100)
author José Fonseca <jfonseca@vmware.com>
Thu, 27 Oct 2011 12:23:17 +0000 (13:23 +0100)
committer José Fonseca <jfonseca@vmware.com>
Thu, 27 Oct 2011 12:23:17 +0000 (13:23 +0100)
diff --git a/glcaps.cpp b/glcaps.cpp

index fed12d781ad0002c660b653124ce3f7519cf627c..2f16b63c172febde9021a7ad1f7e3b26f41d981c 100644 (file)
--- a/glcaps.cpp
+++ b/glcaps.cpp
@@ -32,6 +32,7 @@
   */
  
  
+#include <assert.h>
  #include <string.h>
  #include <stdlib.h>
  
@@ -81,7 +82,11 @@ overrideExtensionsString(const char *extensions)
          extra_extensions_len += extra_extension_len + 1;
      }
  
-    char *new_extensions = (char *)malloc(extensions_len + 1 + extra_extensions_len);
+    // We use malloc memory instead of a std::string because we need to ensure
+    // that extensions strings will not move in memory as the extensionsMap is
+    // updated.
+    size_t new_extensions_len = extensions_len + 1 + extra_extensions_len + 1;
+    char *new_extensions = (char *)malloc(new_extensions_len);
      if (!new_extensions) {
          return extensions;
      }
@@ -102,7 +107,8 @@ overrideExtensionsString(const char *extensions)
          extensions_len += extra_extension_len;
          new_extensions[extensions_len++] = ' ';
      }
-    new_extensions[extensions_len] = '\0';
+    new_extensions[extensions_len++] = '\0';
+    assert(extensions_len <= new_extensions_len);
  
      extensionsMap[extensions] = new_extensions;
author	José Fonseca <jfonseca@vmware.com>
	Thu, 27 Oct 2011 12:23:17 +0000 (13:23 +0100)
committer	José Fonseca <jfonseca@vmware.com>
	Thu, 27 Oct 2011 12:23:17 +0000 (13:23 +0100)