[syslinux:elflink] core/elflink: Fix off-by-one error

[syslinux-bot for Matt Fleming]

Commit-ID:  e955e5c00a852883f6972e1a9bc304413ff79627
Gitweb:     http://www.syslinux.org/commit/e955e5c00a852883f6972e1a9bc304413ff79627
Author:     Matt Fleming <matt.fleming at intel.com>
AuthorDate: Tue, 27 Nov 2012 20:12:58 +0000
Committer:  Matt Fleming <matt.fleming at intel.com>
CommitDate: Tue, 27 Nov 2012 21:09:45 +0000

core/elflink: Fix off-by-one error

We need to remember to allocate space for the terminating NULL in
create_args_and_load() otherwise we will write a NUL-byte past the
bounds of 'argv[]' to some random part of the stack.

Signed-off-by: Matt Fleming <matt.fleming at intel.com>

---
 core/elflink/load_env32.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/core/elflink/load_env32.c b/core/elflink/load_env32.c
index 49c5989..23d6baa 100644
--- a/core/elflink/load_env32.c
+++ b/core/elflink/load_env32.c
@@ -170,9 +170,10 @@ int create_args_and_load(char *cmdline)
 	 * Generate a copy of argv on the stack as this is
 	 * traditionally where process arguments go.
 	 *
-	 * argv[0] must be the command name.
+	 * argv[0] must be the command name. Remember to allocate
+	 * space for the sentinel NULL.
 	 */
-	argv = alloca(argc * sizeof(char *));
+	argv = alloca((argc + 1) * sizeof(char *));
 
 	for (i = 0, p = cmdline; i < argc; i++) {
 		char *start;