From 624a58b6e6a029e1a0cabe8e163e00a4a54cb1b3 Mon Sep 17 00:00:00 2001 From: Eric Anholt Date: Wed, 7 Jan 2004 05:28:57 +0000 Subject: [PATCH] From PR: In fdformat.c a closing parenthesis is at the wrong place. Instead of adding sizeof _PATH_DEV + 1 to the length of argv[optind], the length of the string starting (sizeof _PATH_DEV + 1) characters after argv[optind]'s beginning (accessing junk memory if we jump over the terminating null character) is passed to malloc(). PR: bin/60026 Submitted by: Stefan Farfeleder --- usr.sbin/fdformat/fdformat.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/usr.sbin/fdformat/fdformat.c b/usr.sbin/fdformat/fdformat.c index 0e624dec2705..dd92a86a5077 100644 --- a/usr.sbin/fdformat/fdformat.c +++ b/usr.sbin/fdformat/fdformat.c @@ -205,7 +205,7 @@ main(int argc, char **argv) if (stat(argv[optind], &sb) == -1 && errno == ENOENT) { /* try prepending _PATH_DEV */ - device = malloc(strlen(argv[optind] + sizeof _PATH_DEV + 1)); + device = malloc(strlen(argv[optind]) + sizeof(_PATH_DEV) + 1); if (device == 0) errx(EX_UNAVAILABLE, "out of memory"); strcpy(device, _PATH_DEV);