In the function fgetwln() there's a 4 byte heap overflow.
There is a while loop that has this check to see whether there's still
enough space in the buffer:
if (!fb->len || wused > fb->len) {
If this is true more memory gets allocated. However this test won't be
true if wused == fb->len, but at that point wused already points out
of the buffer. Some lines later there's a write to the buffer:
fb->wbuf[wused++] = wc;
This bug was found with the help of address sanitizer.
Warned-by: ASAN Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=93881 Signed-off-by: Guillem Jover <guillem@hadrons.org>
projects / thirdparty / libbsd.git / commit
