]> granicus.if.org Git - sudo/commitdiff
projects / sudo / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b874211)
The loop in fill_cmnd() was going one byte too far past the end, resulting
authorTodd C. Miller <Todd.Miller@courtesan.com>
Sat, 8 Nov 2008 15:40:33 +0000 (15:40 +0000)
committerTodd C. Miller <Todd.Miller@courtesan.com>
Sat, 8 Nov 2008 15:40:33 +0000 (15:40 +0000)
in a NUL being written immediately after the buffer end.

toke.c patch | blob | history
toke.l patch | blob | history

diff --git a/toke.c b/toke.c
index 03541b351d95d04dd143974fc711c518fe9cdcad..21e2a5ccc5812e1637debba1ad74bc26431df996 100644 (file)
--- a/toke.c
+++ b/toke.c
@@ -3124,7 +3124,7 @@ fill_cmnd(src, len)
 
     arg_len = arg_size = 0;
 
-    dst = yylval.command.cmnd = (char *) malloc(++len);
+    dst = yylval.command.cmnd = (char *) malloc(len + 1);
     if (yylval.command.cmnd == NULL) {
        yyerror("unable to allocate memory");
        return(FALSE);
diff --git a/toke.l b/toke.l
index 353ab2d11d8979d05836eacac8850f97d3476b12..1a81fe0b3bd3d852605e54c45937b36e9140fab8 100644 (file)
--- a/toke.l
+++ b/toke.l
@@ -543,7 +543,7 @@ fill_cmnd(src, len)
 
     arg_len = arg_size = 0;
 
-    dst = yylval.command.cmnd = (char *) malloc(++len);
+    dst = yylval.command.cmnd = (char *) malloc(len + 1);
     if (yylval.command.cmnd == NULL) {
        yyerror("unable to allocate memory");
        return(FALSE);
Unnamed repository; edit this file 'description' to name the repository.