diff options
| author | Matt Fleming <matt.fleming@intel.com> | 2012-11-27 16:25:37 +0000 |
|---|---|---|
| committer | Matt Fleming <matt.fleming@intel.com> | 2012-11-27 21:09:44 +0000 |
| commit | 6f4575c2ad3950af53bcdfd40fe2cce6171179fe (patch) | |
| tree | 4a8f49a5e93a95d5caa80a9edf3e24780de42858 | |
| parent | 30ebd4f6bc83fa4832b658705d4020cb82dfdaea (diff) | |
| download | syslinux-6f4575c2ad3950af53bcdfd40fe2cce6171179fe.tar.gz syslinux-6f4575c2ad3950af53bcdfd40fe2cce6171179fe.tar.xz syslinux-6f4575c2ad3950af53bcdfd40fe2cce6171179fe.zip | |
module: Fix off-by-one error in findpath()
We need to make sure that 'path' still has enough space to write the
trailing NUL-byte. Without this patch it's possible to write a
NUL-byte past the end of the on-stack buffer.
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
| -rw-r--r-- | com32/lib/sys/module/common.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/com32/lib/sys/module/common.c b/com32/lib/sys/module/common.c index 30c57b4b..dfbdf617 100644 --- a/com32/lib/sys/module/common.c +++ b/com32/lib/sys/module/common.c @@ -71,7 +71,7 @@ FILE *findpath(char *name) p = PATH; again: i = 0; - while (*p && *p != ':' && i < FILENAME_MAX) { + while (*p && *p != ':' && i < FILENAME_MAX - 1) { path[i++] = *p++; } @@ -79,7 +79,7 @@ again: p++; n = name; - while (*n && i < FILENAME_MAX) + while (*n && i < FILENAME_MAX - 1) path[i++] = *n++; path[i] = '\0'; |