Compute the correct size of the string to move forward.

Previously this was counting the amount of spare room at the start of the buffer that the string needed to move forward and passing that as the number of bytes to copy to memmove rather than the length of the string to be copied. In the strfmon test in the test suite this caused the memmove to overflow the allocated buffer by one byte which CHERI caught. Reported by: CHERI Reviewed by: kevans Obtained from: CheriBSD MFC after: 1 week Sponsored by: DARPA Differential Revision: https://reviews.freebsd.org/D26280
2020-09-02 20:04:26 +00:00 · 2020-09-02 20:04:26 +00:00 · 1a4531bc98
commit 1a4531bc98
parent a2d704d19f
1 changed files with 1 additions and 1 deletions
--- a/lib/libc/stdlib/strfmon.c
+++ b/lib/libc/stdlib/strfmon.c
@ -645,7 +645,7 @@ __format_grouped_double(double value, int *flags,
 		memset(bufend, pad_char, padded);
 	}

-	bufsize = bufsize - (bufend - rslt) + 1;
+	bufsize = rslt + bufsize - bufend;
 	memmove(rslt, bufend, bufsize);
 	free(avalue);
 	return (rslt);