summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2011-12-28 20:53:45 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2011-12-28 20:53:45 -0800
commit3835cae3cb1ad1073cbb2711f938beb878b4986c (patch)
tree3f0b0da287bb5e0c8145961fc72c7a184f082abc
parent1447071942dbbbfc37b08417c74c8a1d302c1626 (diff)
Make sure to leave room for trailing nil byte in yyGetNumber
...though really, by the time you've added 1023 digits to the number you want to parse, you've got much bigger problems than an off-by-one error in your buffer count. Fixes parfait warnings: Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf' Array size is 1024 bytes, nInBuf >= 1 and nInBuf <= 1024 at line 625 of xkbscan.c in function 'yyGetNumber'. Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf' Array size is 1024 bytes, nInBuf <= 1025 at line 632 of xkbscan.c in function 'yyGetNumber'. [ This bug was found by the Parfait 0.4.2 bug checking tool. For more information see http://labs.oracle.com/projects/parfait/ ] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--xkbscan.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/xkbscan.c b/xkbscan.c
index 814a123..22a034f 100644
--- a/xkbscan.c
+++ b/xkbscan.c
@@ -615,16 +615,16 @@ yyGetNumber(int ch)
nInBuf = 1;
while (((ch = scanchar()) != EOF)
&& (isxdigit(ch) || ((nInBuf == 1) && (ch == 'x')))
- && nInBuf < nMaxBuffSize)
+ && nInBuf < (nMaxBuffSize - 1))
{
buf[nInBuf++] = ch;
}
- if (ch == '.')
+ if ((ch == '.') && (nInBuf < (nMaxBuffSize - 1)))
{
isFloat = 1;
buf[nInBuf++] = ch;
while (((ch = scanchar()) != EOF) && (isxdigit(ch))
- && nInBuf < nMaxBuffSize)
+ && nInBuf < (nMaxBuffSize - 1))
{
buf[nInBuf++] = ch;
}