From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 8 Nov 2008 15:40:33 +0000 (+0000)
Subject: The loop in fill_cmnd() was going one byte too far past the end, resulting
X-Git-Tag: SUDO_1_7_0~42
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b0c1c7979f9f8b789311fefe96d525b16a4eb915;p=sudo

The loop in fill_cmnd() was going one byte too far past the end, resulting
in a NUL being written immediately after the buffer end.
---

diff --git a/toke.c b/toke.c
index 03541b351..21e2a5ccc 100644
--- a/toke.c
+++ b/toke.c
@@ -3124,7 +3124,7 @@ fill_cmnd(src, len)
 
     arg_len = arg_size = 0;
 
-    dst = yylval.command.cmnd = (char *) malloc(++len);
+    dst = yylval.command.cmnd = (char *) malloc(len + 1);
     if (yylval.command.cmnd == NULL) {
 	yyerror("unable to allocate memory");
 	return(FALSE);
diff --git a/toke.l b/toke.l
index 353ab2d11..1a81fe0b3 100644
--- a/toke.l
+++ b/toke.l
@@ -543,7 +543,7 @@ fill_cmnd(src, len)
 
     arg_len = arg_size = 0;
 
-    dst = yylval.command.cmnd = (char *) malloc(++len);
+    dst = yylval.command.cmnd = (char *) malloc(len + 1);
     if (yylval.command.cmnd == NULL) {
 	yyerror("unable to allocate memory");
 	return(FALSE);