[haiku-commits] r36172 - haiku/trunk/src/kits/interface
- From: superstippi@xxxxxx
- To: haiku-commits@xxxxxxxxxxxxx
- Date: Sun, 11 Apr 2010 23:20:39 +0200 (CEST)
Author: stippi
Date: 2010-04-11 23:20:39 +0200 (Sun, 11 Apr 2010)
New Revision: 36172
Changeset: http://dev.haiku-os.org/changeset/36172/haiku
Modified:
haiku/trunk/src/kits/interface/TextInput.cpp
Log:
Bug found by mmlr, since the "inText" is not terminated, strcpy could overwrite
a random amount of memory of the allocated "buffer". If it were terminated, it
would overwrite one byte, since it will also terminate the destination buffer,
which didn't contain the necessary room. Use strlcpy() instead and provide
enough room.
Modified: haiku/trunk/src/kits/interface/TextInput.cpp
===================================================================
--- haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 20:45:23 UTC
(rev 36171)
+++ haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 21:20:39 UTC
(rev 36172)
@@ -207,10 +207,10 @@
char* buffer = NULL;
if (strpbrk(inText, "\r\n") && inLength <= 1024) {
- buffer = (char*)malloc(inLength);
+ buffer = (char*)malloc(inLength + 1);
if (buffer) {
- strcpy(buffer, inText);
+ strlcpy(buffer, inText, inLength);
for (int32 i = 0; i < inLength; i++) {
if (buffer[i] == '\r' || buffer[i] == '\n')
Other related posts:
