From 843e31a852977acf2c990fc2cc2ba932dc1eb340 Mon Sep 17 00:00:00 2001 From: Ben Allan Date: Thu, 1 Feb 2024 14:39:50 -0700 Subject: [PATCH] fix mis-sizing of string in jbuf implementation Any time the jbuf string grows, the head of the jbuf must be accounted for. This patch fixes that oversight. The oversight leads to writing past the end of the string after it is expanded. --- lib/src/ovis_json/ovis_json.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/src/ovis_json/ovis_json.c b/lib/src/ovis_json/ovis_json.c index 477dfaa87..473315f64 100644 --- a/lib/src/ovis_json/ovis_json.c +++ b/lib/src/ovis_json/ovis_json.c @@ -62,10 +62,10 @@ jbuf_t jbuf_append_va(jbuf_t jb, const char *fmt, va_list _ap) cnt = vsnprintf(&jb->buf[jb->cursor], space, fmt, ap); va_end(ap); if (cnt >= space) { - space = jb->buf_len + cnt + JSON_BUF_START_LEN; + space = jb->buf_len + cnt + JSON_BUF_START_LEN + sizeof(*jb); jb = realloc(jb, space); if (jb) { - jb->buf_len = space; + jb->buf_len = space - sizeof(*jb); goto retry; } else { return NULL;