Caught by running test_rev under AddressSanitizer. When the length of
the buffer was 0, it would still try to swap characters due to an off by
one bug.
From c617df571cfbf20c7e19d0097f768e53fc1a9777 Mon Sep 17 00:00:00 2001
From: Andy Chu <[email protected]>
Date: Sat, 19 Mar 2016 22:23:35 -0700
Subject: [PATCH] Fix a small buffer overflow in 'rev' when passed an empty
line.
Caught by running test_rev under AddressSanitizer. When the length of
the buffer was 0, it would still try to swap characters due to an off by
one bug.
---
toys/other/rev.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/toys/other/rev.c b/toys/other/rev.c
index 4cf7214..a61957c 100644
--- a/toys/other/rev.c
+++ b/toys/other/rev.c
@@ -23,12 +23,11 @@ static void do_rev(int fd, char *name)
int len, i;
if (!(c = get_line(fd))) break;
- len = strlen(c) - 1;
- for (i = 0; i <= len/2; i++) {
+ len = strlen(c);
+ for (i = 0; i < len/2; i++) {
char tmp = c[i];
-
- c[i] = c[len-i];
- c[len-i] = tmp;
+ c[i] = c[len-1-i];
+ c[len-1-i] = tmp;
}
xputs(c);
free(c);
--
1.9.1
_______________________________________________
Toybox mailing list
[email protected]
http://lists.landley.net/listinfo.cgi/toybox-landley.net
