<table><tr><td style="">feverfew added a comment.
</td><a style="text-decoration: none; padding: 4px 8px; margin: 0 8px 8px; float: right; color: #464C5C; font-weight: bold; border-radius: 3px; background-color: #F7F7F9; background-image: linear-gradient(to bottom,#fff,#f1f0f1); display: inline-block; border: 1px solid rgba(71,87,120,.2);" href="https://phabricator.kde.org/D29634">View Revision</a></tr></table><br /><div><div><p>Seems like something similar should also occur in <tt style="background: #ebebeb; font-size: 13px;">FileJob::write</tt>?</p></div></div><br /><div><strong>INLINE COMMENTS</strong><div><div style="margin: 6px 0 12px 0;"><div style="border: 1px solid #C7CCD9; border-radius: 3px;"><div style="padding: 0; background: #F7F7F7; border-color: #e3e4e8; border-style: solid; border-width: 0 0 1px 0; margin: 0;"><div style="color: #74777d; background: #eff2f4; padding: 6px 8px; overflow: hidden;"><a style="float: right; text-decoration: none;" href="https://phabricator.kde.org/D29634#inline-169701">View Inline</a><span style="color: #4b4d51; font-weight: bold;">kio_sftp.cpp:1831-1832</span></div>
<div style="font: 11px/15px "Menlo", "Consolas", "Monaco", monospace; white-space: pre-wrap; clear: both; padding: 4px 0; margin: 0;"><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">            <span style="color: #aa4000">while</span> <span class="p">(</span><span class="n">offset</span> <span style="color: #aa2211"><</span> <span class="n">buffer</span><span class="p">.</span><span class="n">size</span><span class="p">())</span> <span class="p">{</span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">                <span style="color: #aa4000">const</span> <span style="color: #aa4000">auto</span> <span class="n">length</span> <span style="color: #aa2211">=</span> <span class="n">qMin</span><span style="color: #aa2211"><</span><span style="color: #aa4000">int</span><span style="color: #aa2211">></span><span class="p">(</span><span class="n">MAX_XFER_BUF_SIZE</span><span class="p">,</span> <span class="n">buffer</span><span class="p">.</span><span class="n">size</span><span class="p">());</span>
</div><div style="padding: 0 8px; margin: 0 4px; background: rgba(151, 234, 151, .6);">                <span style="color: #aa4000">ssize_t</span> <span class="n">bytesWritten</span> <span style="color: #aa2211">=</span> <span class="n">sftp_write</span><span class="p">(</span><span class="n">file</span><span class="p">,</span> <span class="n">buffer</span><span class="p">.</span><span class="n">data</span><span class="p">()</span> <span style="color: #aa2211">+</span> <span class="n">offset</span><span class="p">,</span> <span class="n">length</span><span class="p">);</span>
</div><div style="padding: 0 8px; margin: 0 4px; ">                <span style="color: #aa4000">if</span> <span class="p">(</span><span class="n">bytesWritten</span> <span style="color: #aa2211"><</span> <span style="color: #601200">0</span><span class="p">)</span> <span class="p">{</span>
</div></div></div>
<div style="margin: 8px 0; padding: 0 12px;"><p style="padding: 0; margin: 8px;">AFAICT the size of the buffer never changes so this will easily cause a buffer overrun if I'm not mistaken?</p>

<p style="padding: 0; margin: 8px;">Say for example you have a buffer with <tt style="background: #ebebeb; font-size: 13px;">buffer.size() == MAX_XFER_BUF_SIZE + 1</tt>. Then on the second iteration of the while loop (assuming <tt style="background: #ebebeb; font-size: 13px;">bytesWritten == MAX_XFER_BUF_SIZE</tt>) you'll do a <tt style="background: #ebebeb; font-size: 13px;">sftp_write()</tt> pointing to a <tt style="background: #ebebeb; font-size: 13px;">char</tt> buffer of size 1, but which incorrectly states that the size is <tt style="background: #ebebeb; font-size: 13px;">MAX_XFER_BUF_SIZE</tt>.</p></div></div></div></div></div><br /><div><strong>REPOSITORY</strong><div><div>R320 KIO Extras</div></div></div><br /><div><strong>REVISION DETAIL</strong><div><a href="https://phabricator.kde.org/D29634">https://phabricator.kde.org/D29634</a></div></div><br /><div><strong>To: </strong>sitter, ngraham<br /><strong>Cc: </strong>feverfew, kde-frameworks-devel, kfm-devel, waitquietly, azyx, nikolaik, pberestov, iasensio, aprcela, fprice, LeGast00n, cblack, fbampaloukas, alexde, Codezela, meven, michaelh, spoorun, navarromorales, firef, ngraham, andrebarros, bruns, emmanuelp, rdieter, mikesomov<br /></div>