From 6f4575c2ad3950af53bcdfd40fe2cce6171179fe Mon Sep 17 00:00:00 2001
From: Matt Fleming <matt.fleming@intel.com>
Date: Tue, 27 Nov 2012 16:25:37 +0000
Subject: module: Fix off-by-one error in findpath()

We need to make sure that 'path' still has enough space to write the
trailing NUL-byte. Without this patch it's possible to write a
NUL-byte past the end of the on-stack buffer.

Signed-off-by: Matt Fleming <matt.fleming@intel.com>
---
 com32/lib/sys/module/common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/com32/lib/sys/module/common.c b/com32/lib/sys/module/common.c
index 30c57b4b..dfbdf617 100644
--- a/com32/lib/sys/module/common.c
+++ b/com32/lib/sys/module/common.c
@@ -71,7 +71,7 @@ FILE *findpath(char *name)
 	p = PATH;
 again:
 	i = 0;
-	while (*p && *p != ':' && i < FILENAME_MAX) {
+	while (*p && *p != ':' && i < FILENAME_MAX - 1) {
 		path[i++] = *p++;
 	}
 
@@ -79,7 +79,7 @@ again:
 		p++;
 
 	n = name;
-	while (*n && i < FILENAME_MAX)
+	while (*n && i < FILENAME_MAX - 1)
 		path[i++] = *n++;
 	path[i] = '\0';
 
-- 
cgit