Mesa (master): glsl: fix heap-buffer-overflow
Nicolai Hähnle
nh at kemper.freedesktop.org
Tue Jan 31 14:59:14 UTC 2017
Module: Mesa
Branch: master
Commit: fc27181f9e51441a26b7eb4f62794b5e9a994644
URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=fc27181f9e51441a26b7eb4f62794b5e9a994644
Author: Bartosz Tomczyk <bartosz.tomczyk86 at gmail.com>
Date: Tue Jan 31 12:02:20 2017 +0100
glsl: fix heap-buffer-overflow
The `end+1` skips the ']', whereas the `strlen+1` includes the final
'\0' in the move to terminate the string.
Cc: mesa-stable at lists.freedesktop.org
Reviewed-by: Eric Engestrom <eric.engestrom at imgtec.com>
Reviewed-by: Nicolai Hähnle <nicolai.haehnle at amd.com>
---
src/compiler/glsl/link_uniforms.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
index 8930d26..e9a2053 100644
--- a/src/compiler/glsl/link_uniforms.cpp
+++ b/src/compiler/glsl/link_uniforms.cpp
@@ -535,7 +535,7 @@ private:
const char *str_end;
while((str_start = strchr(name_copy, '[')) &&
(str_end = strchr(name_copy, ']'))) {
- memmove(str_start, str_end + 1, 1 + strlen(str_end));
+ memmove(str_start, str_end + 1, 1 + strlen(str_end + 1));
}
unsigned index = 0;
More information about the mesa-commit
mailing list