| https://bugs.gentoo.org/370949 |
| |
| From 435bad87388821684bb3cd2a33c42787cf970017 Mon Sep 17 00:00:00 2001 |
| From: Mike Frysinger <vapier@gentoo.org> |
| Date: Sun, 6 Nov 2011 00:44:57 -0400 |
| Subject: [PATCH] path: fix 1 byte overflow with empty lists |
| |
| If pap->pa_cnt is 0, then the local buffer is allocated as 1 byte, |
| but the code then writes two bytes to it '/' and '\0'. |
| |
| Signed-off-by: Mike Frysinger <vapier@gentoo.org> |
| --- |
| common/path.c | 2 ++ |
| 1 files changed, 2 insertions(+), 0 deletions(-) |
| |
| diff --git a/common/path.c b/common/path.c |
| index 66320de..ca24f6a 100644 |
| --- a/common/path.c |
| +++ b/common/path.c |
| @@ -285,6 +285,8 @@ pa_gen( pa_t *pap ) |
| for ( i = 0 ; i < pap->pa_cnt ; i++ ) { |
| sz += strlen( pap->pa_array[ i ] ) + 1; |
| } |
| + if ( i == 0 ) |
| + sz++; |
| sz++; |
| |
| retp = ( char * )malloc( sz ); |
| -- |
| 1.7.6.1 |
| |