Fix potential use-after-free and overlapping memory copy in ffStrbufSetNS

fam007e · CarterLi · commit 2b82e9ab02ed · 2026-04-09T09:33:58.000+08:00
diff --git a/src/common/impl/FFstrbuf.c b/src/common/impl/FFstrbuf.c
@@ -248,14 +248,17 @@ void ffStrbufSetNS(FFstrbuf* strbuf, uint32_t length, const char* value) {
     assert(value != NULL);
 
     if (strbuf->allocated < length + 1) {
+        char* newBuf = malloc(sizeof(char) * (length + 1));
+        memcpy(newBuf, value, length);
         if (strbuf->allocated > 0) {
             free(strbuf->chars);
         }
+        strbuf->chars = newBuf;
         strbuf->allocated = length + 1;
-        strbuf->chars = malloc(sizeof(char) * strbuf->allocated);
+    } else {
+        memmove(strbuf->chars, value, length);
     }
 
-    memcpy(strbuf->chars, value, length);
     strbuf->length = length;
     strbuf->chars[length] = '\0';
 }

Original file line number	Diff line number	Diff line change
`@@ -248,14 +248,17 @@ void ffStrbufSetNS(FFstrbuf* strbuf, uint32_t length, const char* value) {`
`248`	`248`	`assert(value != NULL);`
`249`	`249`
`250`	`250`	`if (strbuf->allocated < length + 1) {`
	`251`	`+ char* newBuf = malloc(sizeof(char) * (length + 1));`
	`252`	`+ memcpy(newBuf, value, length);`
`251`	`253`	`if (strbuf->allocated > 0) {`
`252`	`254`	`free(strbuf->chars);`
`253`	`255`	`}`
	`256`	`+ strbuf->chars = newBuf;`
`254`	`257`	`strbuf->allocated = length + 1;`
`255`		`- strbuf->chars = malloc(sizeof(char) * strbuf->allocated);`
	`258`	`+ } else {`
	`259`	`+ memmove(strbuf->chars, value, length);`
`256`	`260`	`}`
`257`	`261`
`258`		`- memcpy(strbuf->chars, value, length);`
`259`	`262`	`strbuf->length = length;`
`260`	`263`	`strbuf->chars[length] = '\0';`
`261`	`264`	`}`