Previously e2fsck would corrupt memory if the log file name was longer
than 100 bytes (e.g., a long log_filename value in e2fsck.conf or a
pattern that expands out to more than 100 bytes). This was due to
incorrectly calling realloc() in append_string() on the struct string
instead of the malloc'ed char* buffer, among other problems. This
patch fixes the call to realloc() and also ensures that the buffer is
grown by sufficiently many bytes (not just by 2x).
Signed-off-by: Nickolai Zeldovich <nickolai@csail.mit.edu>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
static void append_string(struct string *s, const char *a, int len)
{
+ int needlen;
+
if (!len)
len = strlen(a);
- if (s->end + len >= s->len) {
- char *n = realloc(s, s->len * 2);
+ needlen = s->end + len + 1;
+ if (needlen > s->len) {
+ char *n;
+
+ if (s->len * 2 > needlen)
+ needlen = s->len * 2;
+ n = realloc(s->s, needlen);
if (n) {
s->s = n;
- s->len = s->len * 2;
+ s->len = needlen;
} else {
- len = s->len - s->end - 1;
- if (len <= 0)
- return;
+ /* Don't append if we ran out of memory */
+ return;
}
}
memcpy(s->s + s->end, a, len);