49 lines
1.2 KiB
Diff
49 lines
1.2 KiB
Diff
From: Jarrod Johnson <jbjohnso@us.ibm.com>
|
|
|
|
Fix StrnCpy bug that would overflow dst buffer if length of src met or exceeded passed size value.
|
|
diff -urN elilo/strops.c elilo-strncpy-overflow-fix/strops.c
|
|
--- elilo/strops.c 2003-08-19 12:47:41.000000000 -0400
|
|
+++ elilo-strncpy-overflow-fix/strops.c 2009-02-07 11:17:10.000000000 -0500
|
|
@@ -41,11 +41,11 @@
|
|
{
|
|
CHAR16 *res = dst;
|
|
|
|
- while (size-- && (*dst++ = *src++) != CHAR_NULL);
|
|
+ while (size && size-- && (*dst++ = *src++) != CHAR_NULL);
|
|
/*
|
|
* does the null padding
|
|
*/
|
|
- while (size-- > 0) *dst++ = CHAR_NULL;
|
|
+ while (size && size-- > 0) *dst++ = CHAR_NULL;
|
|
|
|
return res;
|
|
}
|
|
@@ -55,11 +55,11 @@
|
|
{
|
|
CHAR8 *res = dst;
|
|
|
|
- while (size-- && (*dst++ = (CHAR8)*src++) != '\0');
|
|
+ while (size && size-- && (*dst++ = (CHAR8)*src++) != '\0');
|
|
/*
|
|
* does the null padding
|
|
*/
|
|
- while (size-- > 0) *dst++ = '\0';
|
|
+ while (size && size-- > 0) *dst++ = '\0';
|
|
|
|
return res;
|
|
}
|
|
@@ -76,11 +76,11 @@
|
|
{
|
|
CHAR8 *res = dst;
|
|
|
|
- while (size-- && (*dst++ = *src++) != '\0');
|
|
+ while (size && size-- && (*dst++ = *src++) != '\0');
|
|
/*
|
|
* does the null padding
|
|
*/
|
|
- while (size-- > 0) *dst++ = '\0';
|
|
+ while (size && size-- > 0) *dst++ = '\0';
|
|
|
|
return res;
|
|
}
|