I have found a bug in the toolbox utility.
Not having participated in this forum before I wasn't sure exactly
where to send this. I have attached a patch which fixes the buffer
overrun issue in mount.c (which caused a segfault for me). The problem
is that 'len' is incremented _after_ 'newlen' is calculated. If you
have two arguments where the second is exactly 2 characters longer
than the first, then the writing of the NULL character by strcpy()
will overrun the allocated buffer when copying the second argument
(because no space was allocated for the ',' character).
Hopefully that made reasonable sense. If not, the diff should show the problem.
I receive digest emails, so please email me directly with any problems
- thanks :-)
-Jeremy
--
--------------------------------------------------
Jeremy C. Andrus
e: [email protected]
w: http://jeremya.com/
l: New York, NY
p: +1 616 439 0522
--------------------------------------------------
--
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=endiff --git a/toolbox/mount.c b/toolbox/mount.c
index 472c952..537f769 100644
--- a/toolbox/mount.c
+++ b/toolbox/mount.c
@@ -60,11 +60,13 @@ static const struct mount_opts options[] = {
static void add_extra_option(struct extra_opts *extra, char *s)
{
int len = strlen(s);
- int newlen = extra->used_size + len;
+ int newlen;
if (extra->str)
len++; /* +1 for ',' */
+ newlen = extra->used_size + len;
+
if (newlen >= extra->alloc_size) {
char *new;
