summaryrefslogtreecommitdiff
path: root/rpmio/rpmglob.c
diff options
context:
space:
mode:
authorPanu Matilainen <pmatilai@redhat.com>2016-11-16 10:55:50 +0200
committerPanu Matilainen <pmatilai@redhat.com>2016-11-16 10:55:50 +0200
commit8dda888e14df323e1dc1e76a42851e68980658cd (patch)
tree17a79a4c0e96975b9bdee02c1bdded2d98a801aa /rpmio/rpmglob.c
parent1545e71d87d0580b12af29b8af70088cb3229582 (diff)
downloadrpm-8dda888e14df323e1dc1e76a42851e68980658cd.tar.gz
Fix off-by-one stack write in rpmGlob() (RhBug:1371914)
Happens with eg pattern "~0//0", easily visible if alloca() is changed to malloc(). Reported as a security concern, dunno about that but a bug it is anyway.
Diffstat (limited to 'rpmio/rpmglob.c')
-rw-r--r--rpmio/rpmglob.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/rpmio/rpmglob.c b/rpmio/rpmglob.c
index 66f838cd6..4b45c149d 100644
--- a/rpmio/rpmglob.c
+++ b/rpmio/rpmglob.c
@@ -337,7 +337,7 @@ glob(const char *pattern, int flags,
user_name = dirname + 1;
else {
char *newp;
- newp = (char *) alloca(end_name - dirname);
+ newp = (char *) alloca(end_name - dirname + 1);
*((char *) mempcpy(newp, dirname + 1, end_name - dirname))
= '\0';
user_name = newp;
View Lorry Controller Status