On Mon, Apr 04, 2016 at 10:03:34AM +0200, Fabiano Fidêncio wrote: > We are allocating insufficient memory for the terminating null of the > string. > --- > common/ssl_verify.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/common/ssl_verify.c b/common/ssl_verify.c > index 601252e..4292ddf 100644 > --- a/common/ssl_verify.c > +++ b/common/ssl_verify.c > @@ -283,8 +283,8 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries) > spice_return_val_if_fail(subject != NULL, NULL); > spice_return_val_if_fail(nentries != NULL, NULL); > > - key = (char*)alloca(strlen(subject)); > - val = (char*)alloca(strlen(subject)); > + key = (char*)alloca(strlen(subject) + 1); > + val = (char*)alloca(strlen(subject) + 1); > in_subject = X509_NAME_new(); Can try to write too many chars to the string in practice? We expect the string to contain a '=', so key/state will be smaller than subject. If there is no '=' in the string, we don't try to add a '\0' to 'key' (I did not check the 'val' code path). Christophe
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel