[syslinux:elflink] module: Fix off-by-one error in findpath()
syslinux-bot for Matt Fleming
matt.fleming at intel.com
Tue Nov 27 14:15:05 PST 2012
Commit-ID: 6f4575c2ad3950af53bcdfd40fe2cce6171179fe
Gitweb: http://www.syslinux.org/commit/6f4575c2ad3950af53bcdfd40fe2cce6171179fe
Author: Matt Fleming <matt.fleming at intel.com>
AuthorDate: Tue, 27 Nov 2012 16:25:37 +0000
Committer: Matt Fleming <matt.fleming at intel.com>
CommitDate: Tue, 27 Nov 2012 21:09:44 +0000
module: Fix off-by-one error in findpath()
We need to make sure that 'path' still has enough space to write the
trailing NUL-byte. Without this patch it's possible to write a
NUL-byte past the end of the on-stack buffer.
Signed-off-by: Matt Fleming <matt.fleming at intel.com>
---
com32/lib/sys/module/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/com32/lib/sys/module/common.c b/com32/lib/sys/module/common.c
index 30c57b4..dfbdf61 100644
--- a/com32/lib/sys/module/common.c
+++ b/com32/lib/sys/module/common.c
@@ -71,7 +71,7 @@ FILE *findpath(char *name)
p = PATH;
again:
i = 0;
- while (*p && *p != ':' && i < FILENAME_MAX) {
+ while (*p && *p != ':' && i < FILENAME_MAX - 1) {
path[i++] = *p++;
}
@@ -79,7 +79,7 @@ again:
p++;
n = name;
- while (*n && i < FILENAME_MAX)
+ while (*n && i < FILENAME_MAX - 1)
path[i++] = *n++;
path[i] = '\0';
More information about the Syslinux-commits
mailing list