Re:Mirror of the vulnerability description (Score 5, Interesting)

The bug must center around this line:

/* Increase the size of the buffer and retry. */
buffer->alloc += len + 32768;

It looks like the problem here is that buffer->alloc (which presumably stores the size of the buffer) grows on every try, while the actual size of the buffer grows only on successful tries. So you could have a situation where, after a couple of tries, the buffer is 65536, but buffer->alloc is 98304. This could potentially cause another part of the program to run past the actual end of the buffer.

The patch addresses this by only updating buffer->alloc after the new memory has been successfully allocated.