diff options
| author |  Dirk Hohndel <dirk@hohndel.org> | 2012-11-19 20:43:49 -0800 |
|---|---|---|
| committer | Dirk Hohndel <dirk@hohndel.org> | 2012-11-19 20:49:45 -0800 |
| commit | 8e4d4970ecf348566046a5fd8aaee13a42b1a7e4 (patch) | |
| tree | d42470e341b0faa241551301562ca2e00cd183a2 | |
| parent | f3d87a2b164cd605620a8d2e5cd0b35bfc28ce2d (diff) | |
| download | subsurface-8e4d4970ecf348566046a5fd8aaee13a42b1a7e4.tar.gz | |
Fix another off by one error in Uemis native downloader
And again buffer_insert contained the blatant bug.
The code wasn't copying the trailing '\0' when extending the string, which
usually didn't end up blowing up the code (and therefore kept the bug
hidden until now) because of the way realloc reused memory - we just had
trailing garbage strings. But sometimes we weren't so lucky and the strlen
in a subsequent call of buffer_insert would run past the end of the
allocated buffer.
Oops.
Signed-off-by: Dirk Hohndel <dirk@hohndel.org>
| -rw-r--r-- | uemis-downloader.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/uemis-downloader.c b/uemis-downloader.c index adf400581..cf70776c8 100644 --- a/uemis-downloader.c +++ b/uemis-downloader.c @@ -413,7 +413,7 @@ static void buffer_insert(char **buffer, int *buffer_size, char *buf) *buffer_size += len; *buffer = realloc(*buffer, *buffer_size); ptr = *buffer + offset; - memmove(ptr + len, ptr, strlen(*buffer) - offset); + memmove(ptr + len, ptr, strlen(*buffer) - offset + 1); memmove(ptr, cbuf, len); } |