From 26f65f4996afb3a57b503024db90d306357cf1f1 Mon Sep 17 00:00:00 2001 From: Martin Stein Date: Tue, 16 Jan 2018 14:30:30 +0100 Subject: [PATCH] Xml_node: fix bug in Xml_node::decoded_content Previously, the dst_len value was not decreased after each character that was written to the dst buffer. This way, if the content length was greater than dst_len, decoded_content wrote to memory out of bounds. Issue #2644 --- repos/base/include/util/xml_node.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/repos/base/include/util/xml_node.h b/repos/base/include/util/xml_node.h index 7194ad24b..ae8df1b68 100644 --- a/repos/base/include/util/xml_node.h +++ b/repos/base/include/util/xml_node.h @@ -683,7 +683,7 @@ class Genode::Xml_node char const *src = content_base(); size_t src_len = content_size(); - for (; dst_len && src_len; result_len++) { + for (; dst_len && src_len; dst_len--, result_len++) { Decoded_character const decoded_character(src, src_len);