Uploaded image for project: 'ROOT'
  1. ROOT
  2. ROOT-10343

illegal memory overwrite in TMemberInspector::TParentBuf::Append

    XMLWordPrintable

    Details

      Description

      TMemberInspector::TParentBuf::Append looks like this:

         // Add "add" to string
         if (!add || !add[0]) return;
         Ssiz_t addlen = strlen(add);
         fBuf.reserve(fLen + addlen);
         const char* i = add;
         while (*i) {
            fBuf[fLen++] = *i;
            ++i;
         }
         fBuf[fLen] = 0;
      

      First of all, it's not legal to write to memory through the indexing operator of a vector if it has only been reserved, you need to do resize() for that. I presume you're trying to skip the initialization here.

      Second, the resize/reserve should be 'fLen + addlen + 1' to allow that write of '\0' if fLen is 0. I understand the thinking here otherwise, namely that once a +1 is done, you don't need it anymore for any subsequent Append, as you're just overwriting the old '\0'. But if you don't do it on fLen == 0, then it never happens.

        Attachments

          Activity

            People

            • Assignee:
              pcanal Philippe Canal
              Reporter:
              wlav Wim Lavrijsen
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: