Skip to content
GitLab
Open
Issue created by Bugzilla@bugzilla-migration💬Reporter

g_io_channel_read_line_backend() over-reads from the channel buffer

Submitted by Dimitar Zhekov

Link to original bug (#748969)

Description

It would be easier to explain citing the source code. From g_io_channel_read_line_backend():

  for (nextchar = use_buf->str + checked_to; nextchar < lastchar; ...)
    {
      if (channel->line_term)
        {
          if (memcmp (channel->line_term, nextchar, line_term_len) == 0)
            ...

Before comparing line_term_len bytes, there should be a check that (lastchar - nextchar) <= line_term_len.

For example, with nextchar == lastchar - 1, channel->line_term set, and line_term_len == 2, memcmp() will read 1 undefined char from the channel buffer.

This is not specific to 2.45.1, it exists since at least glib-2.28.8, and probably much earlier.

Version: 2.45.x