pspp-dump-sav; Fix write past end of buffer in corner case.

If count == 0 and size > 0, then n_bytes is 0, buffer is a 1-byte
allocation, and the assignment to buffer[size] would write to buffer[1]
(or past it), which is past the end of the allocation.

Found by Address Sanitizer.

diff --git a/utilities/pspp-dump-sav.c b/utilities/pspp-dump-sav.c
index 1d8d78c87739a9fbd999f952a8137b567698e19d..70687ebc803bb23a6f610b79f69a76476b0050fa 100644 (file)
--- a/utilities/pspp-dump-sav.c
+++ b/utilities/pspp-dump-sav.c
@@ -1403,7 +1403,7 @@ open_text_record (struct sfm_reader *r, size_t size, size_t count)
   size_t n_bytes = size * count;
   char *buffer = xmalloc (n_bytes + 1);
   read_bytes (r, buffer, n_bytes);
-  buffer[size] = '\0';
+  buffer[n_bytes] = '\0';
   text->reader = r;
   text->buffer = buffer;
   text->size = n_bytes;