Closed Bug 356686 Opened 18 years ago Closed 18 years ago

strcpy, 1-byte heap overflow in WINCE build stdlib.cpp

Categories

(Minimo Graveyard :: General, defect)

WinCE
Other
Other
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: ehoffman, Assigned: dougt)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.7) Gecko/20060909 Firefox/1.5.0.7 Build Identifier: 1.5.0.7 In the file mozilla\build\wince\shunt\stdlib.cpp, in function mozce_splitpath, there is a 1-byte overflow strcpy. ---------- char* dup = (char*) malloc(strlen(inPath)); if(NULL != dup) { strcpy(dup, inPath); ... ---------- 1 more byte should be allocated to account for trailing zero, as follow: char* dup = (char*) malloc(strlen(inPath) + 1); Reproducible: Always Steps to Reproduce: N/A, see source code Actual Results: buffer overflow Expected Results: N/A N/A
Status: UNCONFIRMED → NEW
Ever confirmed: true
nice find. thanks. Checking in stdlib.cpp; /cvsroot/mozilla/build/wince/shunt/stdlib.cpp,v <-- stdlib.cpp new revision: 1.6.8.3; previous revision: 1.6.8.2 done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.