Closed
Bug 356686
Opened 18 years ago
Closed 18 years ago
strcpy, 1-byte heap overflow in WINCE build stdlib.cpp
Categories
(Minimo Graveyard :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ehoffman, Assigned: dougt)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: 1.5.0.7
In the file mozilla\build\wince\shunt\stdlib.cpp, in function mozce_splitpath, there is a 1-byte overflow strcpy.
----------
char* dup = (char*) malloc(strlen(inPath));
if(NULL != dup)
{
strcpy(dup, inPath);
...
----------
1 more byte should be allocated to account for trailing zero, as follow:
char* dup = (char*) malloc(strlen(inPath) + 1);
Reproducible: Always
Steps to Reproduce:
N/A, see source code
Actual Results:
buffer overflow
Expected Results:
N/A
N/A
Assignee | ||
Updated•18 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 1•18 years ago
|
||
nice find. thanks.
Checking in stdlib.cpp;
/cvsroot/mozilla/build/wince/shunt/stdlib.cpp,v <-- stdlib.cpp
new revision: 1.6.8.3; previous revision: 1.6.8.2
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•