[Mesa-dev] [PATCH v2] glsl: fix heap-buffer-overflow

Tue Jan 31 11:02:20 UTC 2017

The `end+1` skips the ']', whereas the `strlen+1` includes the final
'\0' in the move to terminate the string.
---
 src/compiler/glsl/link_uniforms.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
index a450aa03a8..4f047884e9 100644
--- a/src/compiler/glsl/link_uniforms.cpp
+++ b/src/compiler/glsl/link_uniforms.cpp
@@ -535,7 +535,7 @@ private:
             const char *str_end;
             while((str_start = strchr(name_copy, '[')) &&
                   (str_end = strchr(name_copy, ']'))) {
-               memmove(str_start, str_end + 1, 1 + strlen(str_end));
+               memmove(str_start, str_end + 1, 1 + strlen(str_end + 1));
             }
 
             unsigned index = 0;
-- 
2.11.0

