Revision 8af42882
| ID | 8af42882a51c632a14d77277df0740f1aa8c958a |
readline: Fix buffer overrun on re-add to history
readline_hist_add() moves the history entry to the end of history. It
uses memmove() to move rs->history[idx + 1..] to rs->history[idx..].
However, its size argument is off by two array elements, so it writes
one element beyond rs->history[], and reads two.
On my system, this clobbers rs->hist_entry and the hole right after
it. Since the function assigns to rs->hist_entry in time, the bug has
no ill effects for me.
Spotted by Coverity.
Signed-off-by: Markus Armbruster <armbru@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@linux.vnet.ibm.com>
Files
- added
- modified
- copied
- renamed
- deleted