Bug 24278

Summary: strlcat may read from inaccessible memory
Product: Base System Reporter: Tony Finch <dot>
Component: binAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Unspecified   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Tony Finch 2001-01-12 19:10:00 UTC 
If the buffer size passed to strlcat is zero then it still reads a byte from
the destination buffer when working out its length. This can cause the
program to crash if the destination pointer is just after the end of a
malloced buffer, for example.

This problem was discovered by Richard Kettlewell <rjk@greenend.org.uk>

How-To-Repeat: 
strlcat(0, "foo", 0);
Comment 1 Chris D.Faulhaber freebsd_committer freebsd_triage 2001-01-17 20:51:50 UTC 
State Changed
From-To: open->closed

Committed, thanks!