<div dir="auto" style="word-wrap:break-word;-webkit-nbsp-mode:space;line-break:after-white-space;">
<pre class="code highlight" lang="c">Hi,</pre>
<pre class="code highlight" lang="c"></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"><span class="k">In lib/string.h line 38,</span></span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"><span class="k"> </span></span></pre>
<pre class="code highlight" lang="c"><span id="LC38" class="line" lang="c"><span class="k">static</span> <span class="kr">inline</span> <span class="kt">char</span> <span class="o">*</span></span> <span id="LC39" class="line" lang="c"><span class="nf">xstrdup</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">c</span><span class="p">)</span></span> <span id="LC40" class="line" lang="c">{</span> <span id="LC41" class="line" lang="c"> <span class="kt">size_t</span> <span class="n">l</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span></span></pre>
<pre class="code highlight" lang="c">// xmalloc may fail, and z will be NULL. <span id="LC42" class="line" lang="c"> <span class="kt">char</span> <span class="o">*</span><span class="n">z</span> <span class="o">=</span> <span class="n">xmalloc</span><span class="p">(</span><span class="n">l</span><span class="p">);</span></span></pre>
<pre class="code highlight" lang="c">// write to a NULL pointer, crash. <span id="LC43" class="line" lang="c"> <span class="n">memcpy</span><span class="p">(</span><span class="n">z</span><span class="p">,</span> <span class="n">c</span><span class="p">,</span> <span class="n">l</span><span class="p">);</span></span> <span id="LC44" class="line" lang="c"> <span class="k">return</span> <span class="n">z</span><span class="p">;</span></span> <span id="LC45" class="line" lang="c">}</span> </pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"> </span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c">I think this is a vulnerability, and maybe we can fix it as following:</span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"> </span></pre>
        <div>
<pre class="code highlight" lang="c"><span id="LC38" class="line" lang="c"><span class="k">static</span> <span class="kr">inline</span> <span class="kt">char</span> <span class="o">*</span></span> <span id="LC39" class="line" lang="c"><span class="nf">xstrdup</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">c</span><span class="p">)</span></span> <span id="LC40" class="line" lang="c">{</span> <span id="LC41" class="line" lang="c"> <span class="kt">size_t</span> <span class="n">l</span> <span class="o">=</span> <span class="n">strlen</span><span class="p">(</span><span class="n">c</span><span class="p">)</span> <span class="o">+</span> <span class="mi">1</span><span class="p">;</span></span></pre>
<pre class="code highlight" lang="c"><span id="LC42" class="line" lang="c"> <span class="kt">char</span> <span class="o">*</span><span class="n">z</span> <span class="o">=</span> <span class="n">xmalloc</span><span class="p">(</span><span class="n">l</span><span class="p">);</span></span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"><span class="p"> if(z)</span></span></pre>
<pre class="code highlight" lang="c">  { </pre>
<pre class="code highlight" lang="c">     <span class="n">memcpy</span><span class="p">(</span><span class="n">z</span><span class="p">,</span> <span class="n">c</span><span class="p">,</span> <span class="n">l</span><span class="p">);</span></pre>
<pre class="code highlight" lang="c"><span id="LC44" class="line" lang="c"> <span class="k">return</span> <span class="n">z</span><span class="p">;</span></span></pre>
<pre class="code highlight" lang="c">  }</pre>
<pre class="code highlight" lang="c"><span id="LC43" class="line" lang="c"> else return -1;</span> <span id="LC45" class="line" lang="c">}</span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"> </span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c">Thanks for any consideration!</span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c"> </span></pre>
<pre class="code highlight" lang="c"><span class="line" lang="c">Peiyu Liu, </span></pre>
<pre class="code highlight" lang="c">NESA lab, </pre>
<pre class="code highlight" lang="c">Zhejiang University</pre>
        </div>
</div>