Обсуждение: Re: Buffer overflow in SerializeLibraryState() found by Address Sanitizer

> On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:
>
> Hi hackers!
>
> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last
'\0'it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in
EstimateLibraryStateSpace()

The last '\0' written isn't performed in relation to the size, but at a fixed
index in the buffer:

    ...
    }
    start_address[0] = '\0';

How would that cause a buffer overflow?

--
Daniel Gustafsson

The loop advances the pointer via start_address += len.

-- 
David Geier
(ServiceNow

On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:
>> On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:
>>
>> Hi hackers!
>>
>> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last
'\0'it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in
EstimateLibraryStateSpace()
> The last '\0' written isn't performed in relation to the size, but at a fixed
> index in the buffer:
>
>      ...
>      }
>      start_address[0] = '\0';
>
> How would that cause a buffer overflow?
>
> --
> Daniel Gustafsson
>
-- 
David Geier
(ServiceNow)