When a token is longer than the built-in 256-byte buffer, a buffer is
malloc()'d but it was not properly null-terminated.
Found by afl-fuzz.
Reported-by: Bhargava Shastry <bshastry@sec.t-labs.tu-berlin.de>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Reviewed-by: Greg Rose <gvrose8192@gmail.com>
? token->buffer
: xmalloc(length + 1));
memcpy(token->s, s, length);
- token->buffer[length] = '\0';
+ token->s[length] = '\0';
}
void