Module: Mesa Branch: master Commit: fc27181f9e51441a26b7eb4f62794b5e9a994644 URL: http://cgit.freedesktop.org/mesa/mesa/commit/?id=fc27181f9e51441a26b7eb4f62794b5e9a994644
Author: Bartosz Tomczyk <[email protected]> Date: Tue Jan 31 12:02:20 2017 +0100 glsl: fix heap-buffer-overflow The `end+1` skips the ']', whereas the `strlen+1` includes the final '\0' in the move to terminate the string. Cc: [email protected] Reviewed-by: Eric Engestrom <[email protected]> Reviewed-by: Nicolai Hähnle <[email protected]> --- src/compiler/glsl/link_uniforms.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp index 8930d26..e9a2053 100644 --- a/src/compiler/glsl/link_uniforms.cpp +++ b/src/compiler/glsl/link_uniforms.cpp @@ -535,7 +535,7 @@ private: const char *str_end; while((str_start = strchr(name_copy, '[')) && (str_end = strchr(name_copy, ']'))) { - memmove(str_start, str_end + 1, 1 + strlen(str_end)); + memmove(str_start, str_end + 1, 1 + strlen(str_end + 1)); } unsigned index = 0; _______________________________________________ mesa-commit mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/mesa-commit
