On Tue, 15 Feb 2005, Stefan Petersen wrote:
On Tue, 8 Feb 2005, Tomasz Motylewski wrote:
Hallo,
Yesssssssssssss.... That was it. Changing "1" to "2" did the trick. Core dumps is gone... "gerbv" works as a charm on RH8.
842 filename = dirname(filename); 843 if (screen.path) 844 free(screen.path); 845 screen.path = (char *)malloc(strlen(filename) + 1); 846 strcpy(screen.path, filename); 847 screen.path = strncat(screen.path, "/", 1);
This is it (in fact it is a classical one)!
strlen(filename) gives the length of filename EXCLUDING the trailing \0. A buffer of size strlen(filename)+1 does have just enough space to include the trailing \0. When appending "/", you write past the end of that buffer. You have to change the +1 to a +2.
73, Mario - -- Mario Klebsch [EMAIL PROTECTED]
I have commited this bugfix to 1.0 and to the main gerbv branch. The changes
may need a few hours to show in the anonymous CVS on SourceForge.
There were also some other "off by 1" bugs which I have fixed as well (just searched for all strlen() :-)
DOOH!
Thanks for fixing my screw ups, Tomasz!
And _of course_ thanks to Mario and primorec for finding and solving this hard to catch bug.
/spe
