box: fix out of bound write in error_payload_destroy()
If `strlen(name)` is 1, `value_size` is 1, and `extra` is 0, then 15 bytes are allocated for `struct error_field` in error_payload_prepare(). However, the size of this structure is 16 because of the padding for the alignment. Thus TRASH() in error_payload_destroy() writes 1 byte beyond the structure. Closes #9098 NO_DOC=bugfix
Showing
- changelogs/unreleased/gh-9098-out-of-bound-write-in-error_payload_destroy.md 4 additions, 0 deletions...ed/gh-9098-out-of-bound-write-in-error_payload_destroy.md
- src/lib/core/error_payload.c 15 additions, 13 deletionssrc/lib/core/error_payload.c
- src/lib/core/error_payload.h 1 addition, 1 deletionsrc/lib/core/error_payload.h
- src/lua/error.lua 1 addition, 1 deletionsrc/lua/error.lua
- test/unit/xrow.cc 44 additions, 1 deletiontest/unit/xrow.cc
Loading
Please register or sign in to comment