If pap->pa_cnt is 0, then the local buffer is allocated as 1 byte,
but the code then writes two bytes to it '/' and '\0'.
Signed-off-by: Mike Frysinger <vapier@xxxxxxxxxx>
---
common/path.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/common/path.c b/common/path.c
index 66320de..ca24f6a 100644
--- a/common/path.c
+++ b/common/path.c
@@ -285,6 +285,8 @@ pa_gen( pa_t *pap )
for ( i = 0 ; i < pap->pa_cnt ; i++ ) {
sz += strlen( pap->pa_array[ i ] ) + 1;
}
+ if ( i == 0 )
+ sz++;
sz++;
retp = ( char * )malloc( sz );
--
1.7.6.1
_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
