feverfew added a comment.

  Seems like something similar should also occur in `FileJob::write`?

INLINE COMMENTS

> kio_sftp.cpp:1831-1832
> +            while (offset < buffer.size()) {
> +                const auto length = qMin<int>(MAX_XFER_BUF_SIZE, 
> buffer.size());
> +                ssize_t bytesWritten = sftp_write(file, buffer.data() + 
> offset, length);
> +                if (bytesWritten < 0) {

AFAICT the size of the buffer never changes so this will easily cause a buffer 
overrun if I'm not mistaken?

Say for example you have a buffer with `buffer.size() == MAX_XFER_BUF_SIZE + 
1`. Then on the second iteration of the while loop (assuming `bytesWritten == 
MAX_XFER_BUF_SIZE`) you'll do a `sftp_write()` pointing to a `char` buffer of 
size 1, but which incorrectly states that the size is `MAX_XFER_BUF_SIZE`.

REPOSITORY
  R320 KIO Extras

REVISION DETAIL
  https://phabricator.kde.org/D29634

To: sitter, ngraham
Cc: feverfew, kde-frameworks-devel, kfm-devel, waitquietly, azyx, nikolaik, 
pberestov, iasensio, aprcela, fprice, LeGast00n, cblack, fbampaloukas, alexde, 
Codezela, meven, michaelh, spoorun, navarromorales, firef, ngraham, 
andrebarros, bruns, emmanuelp, rdieter, mikesomov

Reply via email to