aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Fleming <matt.fleming@intel.com>2012-11-27 20:12:58 +0000
committerMatt Fleming <matt.fleming@intel.com>2012-11-27 21:09:45 +0000
commite955e5c00a852883f6972e1a9bc304413ff79627 (patch)
tree2d929acae19f02414d5fb7a8a68a3f776675ce6c
parent6f4575c2ad3950af53bcdfd40fe2cce6171179fe (diff)
downloadsyslinux-e955e5c00a852883f6972e1a9bc304413ff79627.tar.gz
syslinux-e955e5c00a852883f6972e1a9bc304413ff79627.tar.xz
syslinux-e955e5c00a852883f6972e1a9bc304413ff79627.zip
core/elflink: Fix off-by-one error
We need to remember to allocate space for the terminating NULL in create_args_and_load() otherwise we will write a NUL-byte past the bounds of 'argv[]' to some random part of the stack. Signed-off-by: Matt Fleming <matt.fleming@intel.com>
-rw-r--r--core/elflink/load_env32.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/core/elflink/load_env32.c b/core/elflink/load_env32.c
index 49c5989c..23d6baa1 100644
--- a/core/elflink/load_env32.c
+++ b/core/elflink/load_env32.c
@@ -170,9 +170,10 @@ int create_args_and_load(char *cmdline)
* Generate a copy of argv on the stack as this is
* traditionally where process arguments go.
*
- * argv[0] must be the command name.
+ * argv[0] must be the command name. Remember to allocate
+ * space for the sentinel NULL.
*/
- argv = alloca(argc * sizeof(char *));
+ argv = alloca((argc + 1) * sizeof(char *));
for (i = 0, p = cmdline; i < argc; i++) {
char *start;