Thread: Patch to a buffer overflow bug

Started: 2008-09-10 04:12:53
Last activity: 2008-09-10 04:12:53
Topics: SAC Developers
Kuang He
2008-09-10 04:12:53
Hi,

The string sachistory below is overrun by 1 byte.

diff --git a/src/co/select.c b/src/co/select.c
index 580db77..578360b 100644
--- a/src/co/select.c
+++ b/src/co/select.c
@@ -162,10 +162,11 @@ sac_history_file_set(char *name) {
/* Null name signifies default */
home = getenv("HOME");
if(home) {
- len = strlen(home) + strlen(SAC_HISTORY_FILE) + 1;
+ /* "+ 2": characters '/' and '\0' */
+ len = strlen(home) + strlen(SAC_HISTORY_FILE) + 2;
sachistory = (char *)malloc(sizeof(char) * len);
sprintf(sachistory,"%s/%s", home, SAC_HISTORY_FILE);
- sachistory[len] = '\0';
+ sachistory[len - 1] = '\0';
} else {
sachistory = NULL;
}


Best regards,

--
Kuang He
Department of Physics
University of Connecticut
Storrs, CT 06269-3046

Tel: +1.860.486.4919
Web: http://www.phys.uconn.edu/~he/

04:39:14 v.01697673