Aren/haiku
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bug found by mmlr, since the "inText" is not terminated, strcpy could overwrite

Browse Source 
a random amount of memory of the allocated "buffer". If it were terminated, it
would overwrite one byte, since it will also terminate the destination buffer,
which didn't contain the necessary room. Use strlcpy() instead and provide
enough room.


git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@36172 a95241bf-73f2-0310-859d-f6bbb57e9c96
This commit is contained in:
Stephan Aßmus 2010-04-11 21:20:39 +00:00
parent 7c86c0a813
commit 954af58694
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/kits/interface/TextInput.cpp
View File

@ -207,10 +207,10 @@ _BTextInput_::InsertText(const char* inText, int32 inLength,
char* buffer = NULL;
if (strpbrk(inText, "\r\n") && inLength <= 1024) {
buffer = (char*)malloc(inLength);
buffer = (char*)malloc(inLength + 1);
if (buffer) {
strcpy(buffer, inText);
strlcpy(buffer, inText, inLength);
for (int32 i = 0; i < inLength; i++) {
if (buffer[i] == '\r' || buffer[i] == '\n')