see https://bugzilla.samba.org/attachment.cgi?id=3678
patch:
--------
diff --git a/source/lib/charcnv.c b/source/lib/charcnv.c
index cea234f..eec7ae3 100644
--- a/source/lib/charcnv.c
+++ b/source/lib/charcnv.c
@@ -1209,7 +1209,21 @@ static size_t pull_ascii_base_talloc(TALLOC_CTX
*ctx,
if (dest_len && dest) {
/* Did we already process the terminating zero ? */
if (dest[dest_len-1] != 0) {
- dest[dest_len-1] = 0;
+ size_t size = talloc_get_size(dest);
+ /* Have we got space to append the '\0' ? */
+ if (size <= dest_len) {
+ /* No, realloc. */
+ dest = TALLOC_REALLOC_ARRAY(ctx, dest,
char,
+ dest_len+1);
+ if (!dest) {
+ /* talloc fail. */
+ dest_len = (size_t)-1;
+ return 0;
+ }
+ }
+ /* Yay - space ! */
+ dest[dest_len] = '\0';
+ dest_len++;
}
} else if (dest) {
dest[0] = 0;
