On 20 July 2016 at 22:23, Don Lewis <[email protected]> wrote: > It passes a fixed-length non-NUL terminated buffer (returned by read(2)) > to mbrtowc(). In addition to the lack of termination, the buffer could > also contain a partial character at its beginning or end if the contents > are UTF-8. > > The Coverity ID is 978825.
I don't have access to Coverity, but with boru's help, I managed to check the lines. There is no problem as far as I can tell --- yes, the buffer is not NUL-terminated [1], *BUT* `mbrtowc(3)` takes a `len` argument (which is returned from said `read(2)`), so it never tries to read out of scope [2,3]. The problem might still be elsewhere, though --- the code is somewhat hairy, so I'll give it a closer check tomorrow. [1] https://svnweb.freebsd.org/base/head/usr.bin/wc/wc.c?view=markup#l277 [2] https://svnweb.freebsd.org/base/head/usr.bin/wc/wc.c?view=markup#l290 [3] `man 3 mbrtowc` _______________________________________________ [email protected] mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "[email protected]"
