[sac-dev] Patch to a buffer overflow bug
Kuang He
icrazy at gmail.com
Tue Sep 9 18:12:53 PDT 2008
Hi,
The string sachistory below is overrun by 1 byte.
diff --git a/src/co/select.c b/src/co/select.c
index 580db77..578360b 100644
--- a/src/co/select.c
+++ b/src/co/select.c
@@ -162,10 +162,11 @@ sac_history_file_set(char *name) {
/* Null name signifies default */
home = getenv("HOME");
if(home) {
- len = strlen(home) + strlen(SAC_HISTORY_FILE) + 1;
+ /* "+ 2": characters '/' and '\0' */
+ len = strlen(home) + strlen(SAC_HISTORY_FILE) + 2;
sachistory = (char *)malloc(sizeof(char) * len);
sprintf(sachistory,"%s/%s", home, SAC_HISTORY_FILE);
- sachistory[len] = '\0';
+ sachistory[len - 1] = '\0';
} else {
sachistory = NULL;
}
Best regards,
--
Kuang He
Department of Physics
University of Connecticut
Storrs, CT 06269-3046
Tel: +1.860.486.4919
Web: http://www.phys.uconn.edu/~he/
More information about the sac-dev
mailing list