Ticket #92 (closed defect: fixed)
Unintended pointer incrementation in function outputResponse
| Reported by: | Knut Landmark | Owned by: | |
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | zoo-kernel | Version: | |
| Keywords: | Cc: |
Description
The following clause in function outputResponse (zoo-kernel/service_internal.c, rev. 459, line 1998 ) causes unexpected behavior:
if(lenv!=NULL){
tmp0=(char*)malloc((strlen(lenv->value)+strlen(_("Unable to run the Service. The message returned back by the Service was the following: "+1)))*sizeof(char));
sprintf(tmp0,_("Unable to run the Service. The message returned back by the Service was the following: %s"),lenv->value);
}
The const char* argument to strlen is incremented by +1, whereas the intention is to allocate an additional byte. Line 1999 should presumably be written
tmp0=(char*)malloc((strlen(lenv->value)+strlen(_("Unable to run the Service. The message returned back by the Service was the following: "))+1)*sizeof(char));
Change History
Note: See
TracTickets for help on using
tickets.
