Skip to content
  • Philip Withnall's avatar
    gstring: Fix a heap buffer overflow in the new g_string_replace() code · c9e48947
    Philip Withnall authored
    This affects the new `g_string_replace()` code which landed on `main` a
    few days ago. It does not affect the old implementation of
    `g_string_replace()`.
    
    The code for the `f_len == 0` (needle is an empty string) case was
    modifying `string` in the loop, without updating any of the string
    pointers into it. If the replacement was long enough (or inserted enough
    times), this would trigger a realloc of `string->str` and cause all the
    string pointers to be dangling.
    
    Fix this by pulling the `f_len == 0` code out into a separate branch and
    loop, rather than trying to integrate it into the main loop. This
    simplifies the main loop significantly, and makes both easier to verify.
    
    An alternative approach, which doesn’t involve splitting the
    `f_len == 0` case out, might have been to track the positions using
    indexes rather than string pointers. I think the approach in this commit
    is better, though, as it removes the possibility of `f_len == 0`
    e...
    c9e48947