[Mesa-dev] [PATCH v2] glsl: fix heap-buffer-overflow
Nicolai Hähnle
nhaehnle at gmail.com
Tue Jan 31 14:59:36 UTC 2017
On 31.01.2017 12:02, Bartosz Tomczyk wrote:
> The `end+1` skips the ']', whereas the `strlen+1` includes the final
> '\0' in the move to terminate the string.
Thanks! R-b and pushed.
Nicolai
> ---
> src/compiler/glsl/link_uniforms.cpp | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
> index a450aa03a8..4f047884e9 100644
> --- a/src/compiler/glsl/link_uniforms.cpp
> +++ b/src/compiler/glsl/link_uniforms.cpp
> @@ -535,7 +535,7 @@ private:
> const char *str_end;
> while((str_start = strchr(name_copy, '[')) &&
> (str_end = strchr(name_copy, ']'))) {
> - memmove(str_start, str_end + 1, 1 + strlen(str_end));
> + memmove(str_start, str_end + 1, 1 + strlen(str_end + 1));
> }
>
> unsigned index = 0;
>
More information about the mesa-dev
mailing list