On Tue, 2006-03-14 at 18:38 -0500, Jonathan Pryor wrote: > Which is why I'm confused. It seems that mono_string_utf8_to_builder is > invoked to copy the internally-allocated unmanaged buffer into an > existing StringBuilder instance. > > So if g_utf8_to_utf16 converts more characters than the capacity of the > StringBuilder, wouldn't that imply that the internal buffer was > overflowed? > > Which is why I don't see why null-terminating the input string actually > helps...
In the readlink case, it does not mean that the buffer overflowed, but as there's no space in the buffer, the \0 is not added at the end of the buffer. Then strlen might try to read from an invalid memory address, which can segfault. If strlen works fine (just by chance) but the capacity is less than the generated UTF-16 string, that memcpy there won't copy the NUL at the end of the MonoString character array, which can cause further invalid reads when converting the stringbuilder into a string (and other methods might fail too). That's why i added the NUL when we don't have one. -Gonzalo _______________________________________________ Mono-list maillist - [email protected] http://lists.ximian.com/mailman/listinfo/mono-list
