"Richard W.M. Jones" <rjones(a)redhat.com> writes:
On Mon, Oct 29, 2012 at 03:12:36PM -0400, John Eckersberg wrote:
> >> + offset = be32toh(*(uint32_t *) (cursor + 8));
> >> + return safe_strdup(g, store + offset);
.. and also isn't this calculation suspect? 'offset' is entirely
calculated from user data, potentially causing 'store + offset' to
point to more or less arbitrary memory in the process.
Yeah I just realized that. I will send a revised patch to the list
shortly that addresses these.