[Mono-list] Mono.Unix.Native.Syscall.readlink memory corruption

Gonzalo Paniagua Javier gonzalo at ximian.com
Wed Mar 15 12:04:31 EST 2006


On Tue, 2006-03-14 at 18:38 -0500, Jonathan Pryor wrote:
> Which is why I'm confused.  It seems that mono_string_utf8_to_builder is
> invoked to copy the internally-allocated unmanaged buffer into an
> existing StringBuilder instance.
> 
> So if g_utf8_to_utf16 converts more characters than the capacity of the
> StringBuilder, wouldn't that imply that the internal buffer was
> overflowed?
> 
> Which is why I don't see why null-terminating the input string actually
> helps...

In the readlink case, it does not mean that the buffer overflowed, but
as there's no space in the buffer, the \0 is not added at the end of the
buffer. Then strlen might try to read from an invalid memory address,
which can segfault. If strlen works fine (just by chance) but the
capacity is less than the generated UTF-16 string, that memcpy there
won't copy the NUL at the end of the MonoString character array, which
can cause further invalid reads when converting the stringbuilder into a
string (and other methods might fail too). That's why i added the NUL
when we don't have one.

-Gonzalo




More information about the Mono-list mailing list