[26397] trunk/base/src/pextlib1.0/fs-traverse.c
source_changes at macosforge.org
source_changes at macosforge.org
Wed Jun 20 22:38:18 PDT 2007
Revision: 26397
http://trac.macosforge.org/projects/macports/changeset/26397
Author: eridius at macports.org
Date: 2007-06-20 22:38:17 -0700 (Wed, 20 Jun 2007)
Log Message:
-----------
Fix a buffer overrun error in pextlib's fs-traverse.
What a difference a single character can make (s/objc/lobjc/).
The reason this wasn't caught before was it was allocating a buffer as large as the number of arguments to fs-traverse rather than the number of items in the targets list, and I only tested with small lists.
Modified Paths:
--------------
trunk/base/src/pextlib1.0/fs-traverse.c
Modified: trunk/base/src/pextlib1.0/fs-traverse.c
===================================================================
--- trunk/base/src/pextlib1.0/fs-traverse.c 2007-06-21 04:49:56 UTC (rev 26396)
+++ trunk/base/src/pextlib1.0/fs-traverse.c 2007-06-21 05:38:17 UTC (rev 26397)
@@ -114,12 +114,13 @@
body = *objv;
if ((rval = Tcl_ListObjGetElements(interp, listPtr, &lobjc, &lobjv)) == TCL_OK) {
- char **entries = calloc(objc, sizeof(char *));
+ char **entries = calloc(lobjc+1, sizeof(char *));
char **iter = (char **)entries;
- while (lobjc) {
+ while (lobjc > 0) {
*iter++ = Tcl_GetString(*lobjv);
--lobjc, ++lobjv;
}
+ *iter = NULL;
rval = do_traverse(interp, flags, entries, varname, body);
free(entries);
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/macports-changes/attachments/20070620/8abcb0d0/attachment.html
More information about the macports-changes
mailing list