Some code depends that tdb_pack[va] will return the bytes it would
write to 'buf' if the bufsize passed in is <=0, writing to the
buffer is protected by with lines like
if (bufsize && bufsize >= len) {
/* write to 'buf' */
}
however in these instances the local pointer to the buffer is still
modified
buf += len;
It's quite probable if bufsize == 0 that buf itself is NULL,
in this case we should protect against performing pointer arithmetic.
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
int len = 0;
char *s;
char c;
- uint8_t *buf0 = buf;
const char *fmt0 = fmt;
int bufsize0 = bufsize;
-
+ size_t to_write = 0;
while (*fmt) {
switch ((c = *fmt++)) {
case 'b': /* unsigned 8-bit integer */
break;
}
- buf += len;
- if (bufsize)
+ to_write += len;
+ if (bufsize > 0) {
bufsize -= len;
+ buf += len;
+ }
if (bufsize < 0)
bufsize = 0;
}
DEBUG(18,("tdb_pack_va(%s, %d) -> %d\n",
- fmt0, bufsize0, (int)PTR_DIFF(buf, buf0)));
+ fmt0, bufsize0, (int)to_write));
- return PTR_DIFF(buf, buf0);
+ return to_write;
}
size_t tdb_pack(uint8_t *buf, int bufsize, const char *fmt, ...)