On Mon, Apr 4, 2016 at 10:29 AM, Christophe Fergeau <cfergeau@xxxxxxxxxx> wrote: > On Mon, Apr 04, 2016 at 10:03:34AM +0200, Fabiano Fidêncio wrote: >> We are allocating insufficient memory for the terminating null of the >> string. >> --- >> common/ssl_verify.c | 4 ++-- >> 1 file changed, 2 insertions(+), 2 deletions(-) >> >> diff --git a/common/ssl_verify.c b/common/ssl_verify.c >> index 601252e..4292ddf 100644 >> --- a/common/ssl_verify.c >> +++ b/common/ssl_verify.c >> @@ -283,8 +283,8 @@ static X509_NAME* subject_to_x509_name(const char *subject, int *nentries) >> spice_return_val_if_fail(subject != NULL, NULL); >> spice_return_val_if_fail(nentries != NULL, NULL); >> >> - key = (char*)alloca(strlen(subject)); >> - val = (char*)alloca(strlen(subject)); >> + key = (char*)alloca(strlen(subject) + 1); >> + val = (char*)alloca(strlen(subject) + 1); >> in_subject = X509_NAME_new(); > > Can try to write too many chars to the string in practice? We expect the > string to contain a '=', so key/state will be smaller than subject. If > there is no '=' in the string, we don't try to add a '\0' to 'key' (I > did not check the 'val' code path). Makes sense. I'll drop this patch. > > Christophe _______________________________________________ Spice-devel mailing list Spice-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/spice-devel