The loop advances the pointer via start_address += len.
--
David Geier
(ServiceNow
On 6/10/2025 3:06 PM, Daniel Gustafsson wrote:
>> On 10 Jun 2025, at 14:59, David Geier <geidav.pg@gmail.com> wrote:
>>
>> Hi hackers!
>>
>> SerializeLibraryState() writes 1 byte too much into the buffer pointed to by start_address. This is the very last
'\0'it writes after the loop. Attached is a patch that fixes the problem by accounting for that extra byte in
EstimateLibraryStateSpace()
> The last '\0' written isn't performed in relation to the size, but at a fixed
> index in the buffer:
>
> ...
> }
> start_address[0] = '\0';
>
> How would that cause a buffer overflow?
>
> --
> Daniel Gustafsson
>
--
David Geier
(ServiceNow)