2010/4/11 <superstippi@xxxxxx>: > Author: stippi > Date: 2010-04-11 23:20:39 +0200 (Sun, 11 Apr 2010) > New Revision: 36172 > Changeset: http://dev.haiku-os.org/changeset/36172/haiku > > Modified: > haiku/trunk/src/kits/interface/TextInput.cpp > Log: > Bug found by mmlr, since the "inText" is not terminated, strcpy could > overwrite > a random amount of memory of the allocated "buffer". If it were terminated, it > would overwrite one byte, since it will also terminate the destination buffer, > which didn't contain the necessary room. Use strlcpy() instead and provide > enough room. > > > Modified: haiku/trunk/src/kits/interface/TextInput.cpp > =================================================================== > --- haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 20:45:23 > UTC (rev 36171) > +++ haiku/trunk/src/kits/interface/TextInput.cpp 2010-04-11 21:20:39 > UTC (rev 36172) > @@ -207,10 +207,10 @@ > char* buffer = NULL; > > if (strpbrk(inText, "\r\n") && inLength <= 1024) { > - buffer = (char*)malloc(inLength); > + buffer = (char*)malloc(inLength + 1); > > if (buffer) { > - strcpy(buffer, inText); > + strlcpy(buffer, inText, inLength); > > for (int32 i = 0; i < inLength; i++) { > if (buffer[i] == '\r' || buffer[i] == '\n') > Note that this code has still problems. In case the text is longer than 1024 bytes, the CR and LF won't be removed, and the text will be copied as-is to the destination buffer. I guess we could simply cut the text if it's longer than 1024 (or a different value, but still fixed).