bugfixes: smartlist_join_strings2() was underflowing a size_t

if you gave it an empty smartlist; and it wasn't terminating in
this case even if you asked it to.

this does not appear to be exploitable in any reasonable cases.


svn:r4598

1 files changed, 9 insertions, 0 deletions

diff --git a/src/common/container.c b/src/common/container.c
index dea3f71622..01080612c9 100644
--- a/src/common/container.c
+++ b/src/common/container.c
@@ -357,6 +357,10 @@ char *smartlist_join_strings2(smartlist_t *sl, const char *join,
 
   tor_assert(sl);
   tor_assert(join);
+
+  if (sl->num_used == 0)
+    n = join_len; /* special-case this one, to avoid underflow */
+
   for (i = 0; i < sl->num_used; ++i) {
     n += strlen(sl->list[i]);
     n += join_len;
@@ -371,6 +375,11 @@ char *smartlist_join_strings2(smartlist_t *sl, const char *join,
       dst += join_len;
     }
   }
+  if (sl->num_used == 0 && terminate) {
+    /* another special case for length == 0 */
+    memcpy(dst, join, join_len);
+    dst += join_len;
+  }
   *dst = '\0';
 
   if (len_out)