diff options
author | Panu Matilainen <pmatilai@redhat.com> | 2016-11-16 10:55:50 +0200 |
---|---|---|
committer | Panu Matilainen <pmatilai@redhat.com> | 2016-11-16 10:55:50 +0200 |
commit | 8dda888e14df323e1dc1e76a42851e68980658cd (patch) | |
tree | 17a79a4c0e96975b9bdee02c1bdded2d98a801aa /rpmio/rpmglob.c | |
parent | 1545e71d87d0580b12af29b8af70088cb3229582 (diff) | |
download | rpm-8dda888e14df323e1dc1e76a42851e68980658cd.tar.gz |
Fix off-by-one stack write in rpmGlob() (RhBug:1371914)
Happens with eg pattern "~0//0", easily visible if alloca() is changed
to malloc(). Reported as a security concern, dunno about that but a bug
it is anyway.
Diffstat (limited to 'rpmio/rpmglob.c')
-rw-r--r-- | rpmio/rpmglob.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/rpmio/rpmglob.c b/rpmio/rpmglob.c index 66f838cd6..4b45c149d 100644 --- a/rpmio/rpmglob.c +++ b/rpmio/rpmglob.c @@ -337,7 +337,7 @@ glob(const char *pattern, int flags, user_name = dirname + 1; else { char *newp; - newp = (char *) alloca(end_name - dirname); + newp = (char *) alloca(end_name - dirname + 1); *((char *) mempcpy(newp, dirname + 1, end_name - dirname)) = '\0'; user_name = newp; |