g_io_channel_read_line_backend() over-reads from the channel buffer
Submitted by Dimitar Zhekov
Link to original bug (#748969)
Description
It would be easier to explain citing the source code. From g_io_channel_read_line_backend():
for (nextchar = use_buf->str + checked_to; nextchar < lastchar; ...)
{
if (channel->line_term)
{
if (memcmp (channel->line_term, nextchar, line_term_len) == 0)
...Before comparing line_term_len bytes, there should be a check that (lastchar - nextchar) <= line_term_len.
For example, with nextchar == lastchar - 1, channel->line_term set, and line_term_len == 2, memcmp() will read 1 undefined char from the channel buffer.
This is not specific to 2.45.1, it exists since at least glib-2.28.8, and probably much earlier.
Version: 2.45.x