projects
/
m6w6
/
ext-psi
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
|
github
raw
|
patch
|
inline
| side by side (from parent 1:
5d2ec37
)
ffi: fix buffer overrun when padding struct storage
author
Michael Wallner
<mike@php.net>
Fri, 7 Jul 2017 07:18:59 +0000
(09:18 +0200)
committer
Michael Wallner
<mike@php.net>
Fri, 7 Jul 2017 07:18:59 +0000
(09:18 +0200)
src/libffi.c
patch
|
blob
|
history
diff --git
a/src/libffi.c
b/src/libffi.c
index f607c39a9c3ba15e049b294d06a7f8e602d052ee..1741513b02df21a3d8409e441bf920a5ae9504d4 100644
(file)
--- a/
src/libffi.c
+++ b/
src/libffi.c
@@
-300,10
+300,13
@@
static size_t psi_ffi_struct_type_pad(ffi_type **els, size_t padding) {
}
static ffi_type **psi_ffi_struct_type_elements(struct psi_decl_struct *strct) {
}
static ffi_type **psi_ffi_struct_type_elements(struct psi_decl_struct *strct) {
- size_t i = 0, argc
= psi_plist_count(strct->args)
, nels = 0, offset = 0, maxalign = 0, last_arg_pos = -1;
- ffi_type **tmp, **els
= calloc(argc + 1, sizeof(*els))
;
+ size_t i = 0, argc, nels = 0, offset = 0, maxalign = 0, last_arg_pos = -1;
+ ffi_type **tmp, **els;
struct psi_decl_arg *darg;
struct psi_decl_arg *darg;
+ argc = psi_plist_count(strct->args);
+ els = calloc(argc + 1, sizeof(*els));
+
while (psi_plist_get(strct->args, i++, &darg)) {
ffi_type *type;
size_t padding;
while (psi_plist_get(strct->args, i++, &darg)) {
ffi_type *type;
size_t padding;
@@
-349,7
+352,17
@@
static ffi_type **psi_ffi_struct_type_elements(struct psi_decl_struct *strct) {
assert(offset <= strct->size);
if (offset < strct->size) {
assert(offset <= strct->size);
if (offset < strct->size) {
- psi_ffi_struct_type_pad(&els[nels], strct->size - offset);
+ size_t padding = strct->size - offset;
+
+ tmp = realloc(els, (padding + argc + 1) * sizeof(*els));
+ if (tmp) {
+ els = tmp;
+ } else {
+ free(els);
+ return NULL;
+ }
+ psi_ffi_struct_type_pad(&els[nels], padding);
+ els[argc + padding] = NULL;
}
return els;
}
return els;