[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
out of bounds array access in speechd-up.c
|
From: |
C . M . Brannon |
|
Subject: |
out of bounds array access in speechd-up.c |
|
Date: |
Fri, 18 May 2007 05:52:19 |
Hi. I'm not sure if this is the right list for this.
I found a possible source of out-of-bounds array accesses in speechd-up.c.
In main(), a buffer is declared to hold BUF_SIZE characters. Within the
main I/O loop, we do:
chars_read = read(fd, buf, BUF_SIZE);
buf[chars_read] = 0;
If read() grabbed BUF_SIZE characters, then a NUL gets written
to buf[BUF_SIZE].
I am attaching a diff, taken against the code from cvs.
Thanks,
-- Chris
-------------- next part --------------
diff -Naur speechd-up/speechd-up.c speechd-up.new/speechd-up.c
--- speechd-up/speechd-up.c 2007-05-18 05:41:45.000000000 -0500
+++ speechd-up.new/speechd-up.c 2007-05-18 05:44:25.000000000 -0500
@@ -568,7 +568,7 @@
main (int argc, char *argv[])
{
size_t chars_read;
- char buf[BUF_SIZE];
+ char buf[BUF_SIZE + 1]; /* Leave room for trailing NUL */
int ret;
options_set_default();
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- out of bounds array access in speechd-up.c,
C . M . Brannon <=