[26397] trunk/base/src/pextlib1.0/fs-traverse.c

[source_changes at macosforge.org]

Revision: 26397
          http://trac.macosforge.org/projects/macports/changeset/26397
Author:   eridius at macports.org
Date:     2007-06-20 22:38:17 -0700 (Wed, 20 Jun 2007)

Log Message:
-----------
Fix a buffer overrun error in pextlib's fs-traverse.
What a difference a single character can make (s/objc/lobjc/).
The reason this wasn't caught before was it was allocating a buffer as large as the number of arguments to fs-traverse rather than the number of items in the targets list, and I only tested with small lists.

Modified Paths:
--------------
    trunk/base/src/pextlib1.0/fs-traverse.c

Modified: trunk/base/src/pextlib1.0/fs-traverse.c
===================================================================
--- trunk/base/src/pextlib1.0/fs-traverse.c	2007-06-21 04:49:56 UTC (rev 26396)
+++ trunk/base/src/pextlib1.0/fs-traverse.c	2007-06-21 05:38:17 UTC (rev 26397)
@@ -114,12 +114,13 @@
     body = *objv;
     
     if ((rval = Tcl_ListObjGetElements(interp, listPtr, &lobjc, &lobjv)) == TCL_OK) {
-        char **entries = calloc(objc, sizeof(char *));
+        char **entries = calloc(lobjc+1, sizeof(char *));
         char **iter = (char **)entries;
-        while (lobjc) {
+        while (lobjc > 0) {
             *iter++ = Tcl_GetString(*lobjv);
             --lobjc, ++lobjv;
         }
+        *iter = NULL;
         rval = do_traverse(interp, flags, entries, varname, body);
         free(entries);
     }

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/macports-changes/attachments/20070620/8abcb0d0/attachment.html