diff options
| author | Lubomir Rintel <lkundrak@v3.sk> | 2009-06-23 00:49:17 +0200 |
|---|---|---|
| committer | Panu Matilainen <pmatilai@redhat.com> | 2009-07-21 09:52:38 +0300 |
| commit | a2ad97d62b6bc8082ebf47930f77716d89bb549f (patch) | |
| tree | e4ca0d84bc71d06ae5d837b562ffce1309f6aaa0 | |
| parent | 7337077eacb45d438ef20f3125015b862bdb43c9 (diff) | |
| download | rpm-a2ad97d62b6bc8082ebf47930f77716d89bb549f.tar.gz | |
Fix memory allocation for token array
This fixes a memory corruption due to write access out of
bounds of token array, whose size was computed incorrectly.
It was assumed that only '%' characters separate tokens,
which could lead to crashes on useless uses of '[' tokens,
such as "rpm -qa --qf '[]lalala'".
(cherry picked from commit 52e4b9bcaca60499e8bb7f23eb590ce01c89c574)
| -rw-r--r-- | lib/headerfmt.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/headerfmt.c b/lib/headerfmt.c index 569bc0e3d..d3956585e 100644 --- a/lib/headerfmt.c +++ b/lib/headerfmt.c @@ -296,7 +296,7 @@ static int parseFormat(headerSprintfArgs hsa, char * str, numTokens = 0; if (str != NULL) for (chptr = str; *chptr != '\0'; chptr++) - if (*chptr == '%') numTokens++; + if (*chptr == '%' || *chptr == '[') numTokens++; numTokens = numTokens * 2 + 1; format = xcalloc(numTokens, sizeof(*format)); |