diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-12-28 20:53:45 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2011-12-28 20:53:45 -0800 |
commit | 3835cae3cb1ad1073cbb2711f938beb878b4986c (patch) | |
tree | 3f0b0da287bb5e0c8145961fc72c7a184f082abc | |
parent | 1447071942dbbbfc37b08417c74c8a1d302c1626 (diff) |
Make sure to leave room for trailing nil byte in yyGetNumber
...though really, by the time you've added 1023 digits to the number
you want to parse, you've got much bigger problems than an off-by-one
error in your buffer count.
Fixes parfait warnings:
Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
Array size is 1024 bytes, nInBuf >= 1 and nInBuf <= 1024
at line 625 of xkbscan.c in function 'yyGetNumber'.
Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf'
Array size is 1024 bytes, nInBuf <= 1025
at line 632 of xkbscan.c in function 'yyGetNumber'.
[ This bug was found by the Parfait 0.4.2 bug checking tool.
For more information see http://labs.oracle.com/projects/parfait/ ]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | xkbscan.c | 6 |
1 files changed, 3 insertions, 3 deletions
@@ -615,16 +615,16 @@ yyGetNumber(int ch) nInBuf = 1; while (((ch = scanchar()) != EOF) && (isxdigit(ch) || ((nInBuf == 1) && (ch == 'x'))) - && nInBuf < nMaxBuffSize) + && nInBuf < (nMaxBuffSize - 1)) { buf[nInBuf++] = ch; } - if (ch == '.') + if ((ch == '.') && (nInBuf < (nMaxBuffSize - 1))) { isFloat = 1; buf[nInBuf++] = ch; while (((ch = scanchar()) != EOF) && (isxdigit(ch)) - && nInBuf < nMaxBuffSize) + && nInBuf < (nMaxBuffSize - 1)) { buf[nInBuf++] = ch; } |