From 6b35ae81a38573dcc42a944ebd8c2e6317cf5ad3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Yaroslav=20de=20la=20Pe=C3=B1a=20Smirnov?=
 <yps@yaroslavps.com>
Date: Mon, 8 Nov 2021 17:44:18 +0300
Subject: slicecpy: fix buffer overflow

on sections shorter than 3 chars.
---
 src/parcini.c | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

(limited to 'src/parcini.c')

diff --git a/src/parcini.c b/src/parcini.c
index 8434685..89a9356 100644
--- a/src/parcini.c
+++ b/src/parcini.c
@@ -56,16 +56,13 @@ lskip(char **start)
 static char *
 slicecpy(char *start, char *end, char **dst, size_t *dstn)
 {
-	size_t srcn = end - start + 1;
-	if (*dst == NULL) {
-		*dst = malloc(srcn + 1);
-	}
-	if (*dstn < srcn) {
-		char *newptr = realloc(*dst, srcn + 1);
+	size_t srcn = end - start;
+	if (*dstn < srcn + 1) {
+		*dstn = srcn + 1;
+		char *newptr = realloc(*dst, *dstn);
 		if (newptr == NULL) {
 			return NULL;
 		}
-		*dstn = srcn + 1;
 		*dst = newptr;
 	}
 	for (size_t i = 0; i < srcn; i++) {
@@ -132,7 +129,7 @@ parcini_parse_next_line(parcini_t *parser, struct parcini_line *parsed)
 			if (cmnt && cmnt < end) {
 				return PARCINI_SECTION_PARSE_ERROR;
 			}
-			if (!slicecpy(start + 1, end - 1, &parser->last_section,
+			if (!slicecpy(start + 1, end, &parser->last_section,
 						&parser->last_section_n)) {
 				return PARCINI_MEMORY_ERROR;
 			}
@@ -231,7 +228,7 @@ parcini_init(FILE *stream)
 	if (parser != NULL) {
 		parser->stream = stream;
 		parser->last_section = strdup("");
-		parser->last_section_n = 2;
+		parser->last_section_n = 1;
 	}
 
 	return parser;
-- 
cgit v1.2.3