On 18/01/16 16:38, David Vrabel wrote:
> On 18/01/16 16:29, Insu Yun wrote:
>> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
>> it can overflow integer range and allocates small size of heap.
>> After that, memcpy will overflow the allocated heap.
>> Therefore, it needs to ch
On 18/01/16 16:29, Insu Yun wrote:
> When len is greater than UINT_MAX - sizeof(*rb), in next allocation,
> it can overflow integer range and allocates small size of heap.
> After that, memcpy will overflow the allocated heap.
> Therefore, it needs to check the size of given length.
[...]
> --- a/d
