|
l = strlen(p); |
|
if (p[l-1] != '\n') |
The buffer may contain a zero byte; which may even be at the beginning. This causes strlen to return 0, and thus (size_t) 0 - 1 will result in SIZE_MAX and thus cause an out of buffer access
See https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152422
wsapi/src/fastcgi/lfcgi.c
Lines 365 to 366 in 8bbfe70
The buffer may contain a zero byte; which may even be at the beginning. This causes
strlento return0, and thus(size_t) 0 - 1will result inSIZE_MAXand thus cause an out of buffer accessSee https://wiki.sei.cmu.edu/confluence/pages/viewpage.action?pageId=87152422