Fix buffer overflow when manipulating extensions string.

author: José Fonseca <jfonseca@vmware.com> 2011-10-27 13:23:17 +0100
committer: José Fonseca <jfonseca@vmware.com> 2011-10-27 13:23:17 +0100
commit: 0287384264fec99576668b89e1ec37d8e93a65bb (patch)
tree: eda6b8536f5320daf3ecbeac125c26c49e1b125b /glcaps.cpp
parent: 559d5349e8039871ff14509a26c54c980c8e2cc7 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/glcaps.cpp b/glcaps.cpp
index fed12d7..2f16b63 100644
--- a/glcaps.cpp
+++ b/glcaps.cpp
@@ -32,6 +32,7 @@
  */
 
 
+#include <assert.h>
 #include <string.h>
 #include <stdlib.h>
 
@@ -81,7 +82,11 @@ overrideExtensionsString(const char *extensions)
         extra_extensions_len += extra_extension_len + 1;
     }
 
-    char *new_extensions = (char *)malloc(extensions_len + 1 + extra_extensions_len);
+    // We use malloc memory instead of a std::string because we need to ensure
+    // that extensions strings will not move in memory as the extensionsMap is
+    // updated.
+    size_t new_extensions_len = extensions_len + 1 + extra_extensions_len + 1;
+    char *new_extensions = (char *)malloc(new_extensions_len);
     if (!new_extensions) {
         return extensions;
     }
@@ -102,7 +107,8 @@ overrideExtensionsString(const char *extensions)
         extensions_len += extra_extension_len;
         new_extensions[extensions_len++] = ' ';
     }
-    new_extensions[extensions_len] = '\0';
+    new_extensions[extensions_len++] = '\0';
+    assert(extensions_len <= new_extensions_len);
 
     extensionsMap[extensions] = new_extensions;
author	José Fonseca <jfonseca@vmware.com>	2011-10-27 13:23:17 +0100
committer	José Fonseca <jfonseca@vmware.com>	2011-10-27 13:23:17 +0100
commit	0287384264fec99576668b89e1ec37d8e93a65bb (patch)
tree	eda6b8536f5320daf3ecbeac125c26c49e1b125b /glcaps.cpp
parent	559d5349e8039871ff14509a26c54c980c8e2cc7 (diff)