Possible buffer overflow in TF1 / TString

Address sanitizer uncovered an unprotected `memcpy` happening here:
https://github.com/root-project/root/blob/08cbc9bfd363f69a8be02f07e2330c7f44e0b420/core/base/src/TString.cxx#L127-L136

Invoked from here:
https://github.com/root-project/root/blob/08cbc9bfd363f69a8be02f07e2330c7f44e0b420/hist/hist/src/TF1.cxx#L535

Note that it's always 5 characters being copied from the incoming string `formula`.


	TString::TString(const char *cs, Ssiz_t n)
	{
	if (n < 0) {
	Error("TString::TString", "Negative length!");
	Zero();
	return;
	}
	char *data = Init(n, n);
	memcpy(data, cs, n);
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Possible buffer overflow in TF1 / TString #8136

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Possible buffer overflow in TF1 / TString #8136

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions