* Change the buffer lenght test in NEEDSP() so that it does not
authorDavid Rhodus <drhodus@dragonflybsd.org>
Tue, 4 Nov 2003 15:44:36 +0000 (15:44 +0000)
committerDavid Rhodus <drhodus@dragonflybsd.org>
Tue, 4 Nov 2003 15:44:36 +0000 (15:44 +0000)
subtract one unsigned number from another potentially smaller
one, leading to wraparound (and heap corruption, eventually).

Obtained from: The FreeBSD project

usr.bin/sed/process.c

index 4f45cdc..5533de5 100644 (file)
@@ -36,7 +36,7 @@
  *
  * @(#)process.c       8.6 (Berkeley) 4/20/94
  * $FreeBSD: src/usr.bin/sed/process.c,v 1.10.2.10 2003/06/13 07:32:08 fanf Exp $
- * $DragonFly: src/usr.bin/sed/process.c,v 1.3 2003/10/04 20:36:50 hmp Exp $
+ * $DragonFly: src/usr.bin/sed/process.c,v 1.4 2003/11/04 15:44:36 drhodus Exp $
  */
 
 #include <sys/types.h>
@@ -546,7 +546,7 @@ regsub(SPACE *sp, char *string, char *src)
        char c, *dst;
 
 #define        NEEDSP(reqlen)                                                  \
-       if (sp->len >= sp->blen - (reqlen) - 1) {                       \
+       if (sp->len + (reqlen) + 1 >= sp->blen) {                       \
                sp->blen += (reqlen) + 1024;                            \
                if ((sp->space = sp->back = realloc(sp->back, sp->blen)) \
                    == NULL)                                            \