Fix out-of-bounds write in short strings when reaching capacity

When we reach capacity for Short strings, we re-use the field past the buffer (remaining_capacity) to hold the terminal null character, this works well but the code was trying to set it twice: when computing the remaining capacity (which is 0 when we hit capacity), and when setting the null character. While this second operation should be fine in practice, it is technically undefined behaviour as we overwrite it by accessing past the end of the buffer.
author: Maxime Coste <mawww@kakoune.org> 2025-05-23 09:43:34 +1000
committer: Maxime Coste <mawww@kakoune.org> 2025-05-23 09:43:34 +1000
commit: b0f541aae65c06f828245e6f90a40967f8e98322 (patch)
tree: e8b4f64a5c6bf5839d24f6f0d6e83cc3b8806649
parent: 93e3037e490195af39f22ae42eaf82a74774e475 (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/string.cc b/src/string.cc
index ae467075..353a9f4e 100644
--- a/src/string.cc
+++ b/src/string.cc
@@ -148,7 +148,8 @@ void String::Data::set_short(const char* data, size_t size)
     u.s.remaining_size = Short::capacity - size;
     if (data != nullptr)
         memcpy(u.s.string, data, size);
-    u.s.string[size] = 0;
+    if (size != Short::capacity) // in this case, remaining_size is the null terminator
+        u.s.string[size] = 0;
 }
 
 UnitTest test_data{[]{
author	Maxime Coste <mawww@kakoune.org>	2025-05-23 09:43:34 +1000
committer	Maxime Coste <mawww@kakoune.org>	2025-05-23 09:43:34 +1000
commit	b0f541aae65c06f828245e6f90a40967f8e98322 (patch)
tree	e8b4f64a5c6bf5839d24f6f0d6e83cc3b8806649
parent	93e3037e490195af39f22ae42eaf82a74774e475 (diff)