strcpy, 1-byte heap overflow in WINCE build stdlib.cpp

RESOLVED FIXED

Status

RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: ehoffman, Assigned: dougt)

Tracking

WinCE
Other
Other

Details

(Reporter)

Description

12 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7
Build Identifier: 1.5.0.7

In the file mozilla\build\wince\shunt\stdlib.cpp, in function mozce_splitpath, there is a 1-byte overflow strcpy.

----------

char* dup = (char*) malloc(strlen(inPath));
if(NULL != dup)
{
   strcpy(dup, inPath);
   ...

----------

1 more byte should be allocated to account for trailing zero, as follow:

char* dup = (char*) malloc(strlen(inPath) + 1);

Reproducible: Always

Steps to Reproduce:
N/A, see source code

Actual Results:  
buffer overflow

Expected Results:  
N/A

N/A
(Assignee)

Updated

12 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Comment 1

12 years ago
nice find.  thanks.

Checking in stdlib.cpp;
/cvsroot/mozilla/build/wince/shunt/stdlib.cpp,v  <--  stdlib.cpp
new revision: 1.6.8.3; previous revision: 1.6.8.2
done
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.