From 555b60b0626bdcb6e0436625177c375f75664247 Mon Sep 17 00:00:00 2001 From: Joshua Haberman Date: Wed, 4 Sep 2019 12:01:57 -0700 Subject: [PATCH] A memory safety fix, found by ASAN. We cannot assume that the input string is NULL-terminated, or read past "len." Instead we manually NULL-terminate it. --- upb/table.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/upb/table.c b/upb/table.c index 13f8d81eb4..8896d217db 100644 --- a/upb/table.c +++ b/upb/table.c @@ -276,7 +276,8 @@ static upb_tabkey strcopy(lookupkey_t k2, upb_alloc *a) { char *str = upb_malloc(a, k2.str.len + sizeof(uint32_t) + 1); if (str == NULL) return 0; memcpy(str, &len, sizeof(uint32_t)); - memcpy(str + sizeof(uint32_t), k2.str.str, k2.str.len + 1); + memcpy(str + sizeof(uint32_t), k2.str.str, k2.str.len); + str[sizeof(uint32_t) + k2.str.len] = '\0'; return (uintptr_t)str; }