diff options
author | Matt Fleming <matt.fleming@intel.com> | 2012-11-27 20:12:58 +0000 |
---|---|---|
committer | Matt Fleming <matt.fleming@intel.com> | 2012-11-27 21:09:45 +0000 |
commit | e955e5c00a852883f6972e1a9bc304413ff79627 (patch) | |
tree | 2d929acae19f02414d5fb7a8a68a3f776675ce6c | |
parent | 6f4575c2ad3950af53bcdfd40fe2cce6171179fe (diff) | |
download | syslinux-e955e5c00a852883f6972e1a9bc304413ff79627.tar.gz syslinux-e955e5c00a852883f6972e1a9bc304413ff79627.tar.xz syslinux-e955e5c00a852883f6972e1a9bc304413ff79627.zip |
core/elflink: Fix off-by-one error
We need to remember to allocate space for the terminating NULL in
create_args_and_load() otherwise we will write a NUL-byte past the
bounds of 'argv[]' to some random part of the stack.
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
-rw-r--r-- | core/elflink/load_env32.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/core/elflink/load_env32.c b/core/elflink/load_env32.c index 49c5989c..23d6baa1 100644 --- a/core/elflink/load_env32.c +++ b/core/elflink/load_env32.c @@ -170,9 +170,10 @@ int create_args_and_load(char *cmdline) * Generate a copy of argv on the stack as this is * traditionally where process arguments go. * - * argv[0] must be the command name. + * argv[0] must be the command name. Remember to allocate + * space for the sentinel NULL. */ - argv = alloca(argc * sizeof(char *)); + argv = alloca((argc + 1) * sizeof(char *)); for (i = 0, p = cmdline; i < argc; i++) { char *start; |