make buf_getstring fail prior to malloc if the buffer is short

--HG-- branch : fuzz
2025-03-03 10:41:39 +00:00 · 2017-05-20 23:39:01 +08:00 · 2017-05-20 23:39:01 +08:00 · 9f1c8b2f8f
commit 9f1c8b2f8f
parent c169423051
1 changed files with 3 additions and 1 deletions
--- a/buffer.c
+++ b/buffer.c
@ -209,6 +209,7 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {

 	unsigned int len;
 	char* ret;
+	void* src = NULL;
 	len = buf_getint(buf);
 	if (len > MAX_STRING_LEN) {
 		dropbear_exit("String too long");
@ -217,8 +218,9 @@ char* buf_getstring(buffer* buf, unsigned int *retlen) {
 	if (retlen != NULL) {
 		*retlen = len;
 	}
+	src = buf_getptr(buf, len);
 	ret = m_malloc(len+1);
-	memcpy(ret, buf_getptr(buf, len), len);
+	memcpy(ret, src, len);
 	buf_incrpos(buf, len);
 	ret[len] = '\0';