d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

From PR:

Browse Source 
In fdformat.c a closing parenthesis is at the wrong place.  Instead of
adding sizeof _PATH_DEV + 1 to the length of argv[optind], the length of the
string starting (sizeof _PATH_DEV + 1) characters after argv[optind]'s
beginning (accessing junk memory if we jump over the terminating null
character) is passed to malloc().

PR:		bin/60026
Submitted by:	Stefan Farfeleder <stefan@fafoe.narf.at>
This commit is contained in:
anholt 2004-01-07 05:28:57 +00:00
parent badbd5bb9c
commit eb1c73d67a
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
usr.sbin/fdformat/fdformat.c
View File

@ -205,7 +205,7 @@ main(int argc, char **argv)
if (stat(argv[optind], &sb) == -1 && errno == ENOENT) {
/* try prepending _PATH_DEV */
device = malloc(strlen(argv[optind] + sizeof _PATH_DEV + 1));
device = malloc(strlen(argv[optind]) + sizeof(_PATH_DEV) + 1);
if (device == 0)
errx(EX_UNAVAILABLE, "out of memory");
strcpy(device, _PATH_DEV);