Author: stippi Date: 2010-04-11 23:20:39 +0200 (Sun, 11 Apr 2010) New Revision: 36172 Changeset: http://dev.haiku-os.org/changeset/36172/haiku Modified: haiku/trunk/src/kits/interface/TextInput.cpp Log: Bug found by mmlr, since the "inText" is not terminated, strcpy could overwrite a random amount of memory of the allocated "buffer". If it were terminated, it would overwrite one byte, since it will also terminate the destination buffer, which didn't contain the necessary room. Use strlcpy() instead and provide enough room. Modified: haiku/trunk/src/kits/interface/TextInput.cpp =================================================================== --- haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 20:45:23 UTC (rev 36171) +++ haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 21:20:39 UTC (rev 36172) @@ -207,10 +207,10 @@ char* buffer = NULL; if (strpbrk(inText, "\r\n") && inLength <= 1024) { - buffer = (char*)malloc(inLength); + buffer = (char*)malloc(inLength + 1); if (buffer) { - strcpy(buffer, inText); + strlcpy(buffer, inText, inLength); for (int32 i = 0; i < inLength; i++) { if (buffer[i] == '\r' || buffer[i] == '\n')