On 20/11/2015 19:48, Eric Blake wrote: >> > + token = g_malloc(sizeof(JSONToken) + input->len + 1); >> > + token->type = type; >> > + memcpy(token->str, input->str, input->len + 1); >> > + token->str[input->len] = 0; > Looks like you are writing the last byte twice. Either the +1 in the > memcpy() always copies a NUL byte and we don't need the second > assignment, or you should drop the +1. > > Otherwise, looks like a sane replacement that saves a lot of memory.
You're right. The memcpy is wrong and reads out of bounds. Paolo > Reviewed-by: Eric Blake <ebl...@redhat.com> > > Are we hoping to get this in 2.5 because it fixes the memory hog bug, or > are we considering that it is not a regression from 2.4 and therefore > something that should wait for 2.6?
