For a non-preallocated dest-string and sourcestring of len < 2,
(one or both of the) final two two zero-bytes would be written
after the end of the allocated dest-string. The sourcelen did
not include the source string terminator. For longer strings,
this was not a problem because the dest-string would have been
reallocated in the convert-loop. This is fixed now by allocating
two extra bytes for the terminating 0-bytes that are needed anyways
in the initial allocation.
Pair-Programmed-With: Gregor Beck <gbeck@sernet.de>
dst = *pdst;
if (dst == NULL) {
- /* dstlen = 2*srclen + 2; */
- dstlen = srclen;
+ /*
+ * Allocate an extra two bytes for the
+ * terminating zero.
+ */
+ dstlen = srclen + 2;
dst = (char *)talloc_size(ctx, dstlen);
if (dst == NULL) {
DEBUG(0,("iconver_talloc no mem\n"));