Fix oobwrite in r_strbuf_append_n ##crash

author pancake <pancake@nowsecure.com>

Mon, 22 Dec 2025 19:20:47 +0000 (20:20 +0100)

committer GitHub <noreply@github.com>

Mon, 22 Dec 2025 19:20:47 +0000 (20:20 +0100)
author pancake <pancake@nowsecure.com>
Mon, 22 Dec 2025 19:20:47 +0000 (20:20 +0100)
committer GitHub <noreply@github.com>
Mon, 22 Dec 2025 19:20:47 +0000 (20:20 +0100)
diff --git a/libr/util/strbuf.c b/libr/util/strbuf.c

index d745ce75be22457763aad4bcf9a5546ab8a5d37c..85a8c42036fc4c905897087154e6b6231b01840e 100644 (file)
--- a/libr/util/strbuf.c
+++ b/libr/util/strbuf.c
@@ -261,11 +261,16 @@ R_API bool r_strbuf_append_n(RStrBuf *sb, const char *s, size_t l) {
                 return false;
         }
  
+       if (SZT_ADD_OVFCHK (sb->len, l + 1)) {
+               return false;
+       }
+
+       size_t required = sb->len + l + 1;
         if (sb->weakref || l == 0) {
                 return !sb->weakref;
         }
  
-       if ((sb->len + l + 1) <= sizeof (sb->buf)) {
+       if (required <= sizeof (sb->buf)) {
                 memcpy (sb->buf + sb->len, s, l);
                 sb->buf[sb->len + l] = 0;
                 sb->len += l;
@@ -274,7 +279,6 @@ R_API bool r_strbuf_append_n(RStrBuf *sb, const char *s, size_t l) {
         }
  
         char *p = sb->ptr;
-       size_t required = sb->len + l + 1;
         size_t current = sb->ptr? sb->ptrlen: sizeof (sb->buf);
  
         // Only grow if current capacity is insufficient
author	pancake <pancake@nowsecure.com>
	Mon, 22 Dec 2025 19:20:47 +0000 (20:20 +0100)
committer	GitHub <noreply@github.com>
	Mon, 22 Dec 2025 19:20:47 +0000 (20:20 +0100)