From 954af58694a58f74c861e276ca8b76b0836ac4f4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20A=C3=9Fmus?= Date: Sun, 11 Apr 2010 21:20:39 +0000 Subject: [PATCH] Bug found by mmlr, since the "inText" is not terminated, strcpy could overwrite a random amount of memory of the allocated "buffer". If it were terminated, it would overwrite one byte, since it will also terminate the destination buffer, which didn't contain the necessary room. Use strlcpy() instead and provide enough room. git-svn-id: file:///srv/svn/repos/haiku/haiku/trunk@36172 a95241bf-73f2-0310-859d-f6bbb57e9c96 --- src/kits/interface/TextInput.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/kits/interface/TextInput.cpp b/src/kits/interface/TextInput.cpp index 30c5e6d510..f1bbd6f1e3 100644 --- a/src/kits/interface/TextInput.cpp +++ b/src/kits/interface/TextInput.cpp @@ -207,10 +207,10 @@ _BTextInput_::InsertText(const char* inText, int32 inLength, char* buffer = NULL; if (strpbrk(inText, "\r\n") && inLength <= 1024) { - buffer = (char*)malloc(inLength); + buffer = (char*)malloc(inLength + 1); if (buffer) { - strcpy(buffer, inText); + strlcpy(buffer, inText, inLength); for (int32 i = 0; i < inLength; i++) { if (buffer[i] == '\r' || buffer[i] == '\n')