Re: gerbv crashes (was Re: gEDA-user: gerbv 1.0 on RH8)

[Mario Klebsch <mario@xxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi!


Am 06.02.2005 um 04:21 schrieb primorec:

> (gdb) list
> 842         filename = dirname(filename);
> 843         if (screen.path)
> 844             free(screen.path);
> 845         screen.path = (char *)malloc(strlen(filename) + 1);
> 846         strcpy(screen.path, filename);
> 847         screen.path = strncat(screen.path, "/", 1);

This is it (in fact it is a classical one)!

strlen(filename) gives the length of filename EXCLUDING the trailing 
\0. A buffer of size strlen(filename)+1 does have just enough space to 
include the trailing \0. When appending "/", you write past the end of 
that buffer. You have to change the +1 to a +2.

73, Mario
- -- 
Mario Klebsch                                           mario@xxxxxxxxxx
PGP-Key available at http://www.klebsch.de/public.key
Fingerprint DSS: EE7C DBCC D9C8 5DC1 D4DB  1483 30CE 9FB2 A047 9CE0
 Diffie-Hellman: D447 4ED6 8A10 2C65 C5E5  8B98 9464 53FF 9382 F518
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCBfrdMM6fsqBHnOARAuBOAJ9f4Wi2KQApb2gVNOmQo5k8h3R+TgCgtPrd
K+xEIl55QGKlkjLBMh88fNw=
=rzlz
-----END PGP SIGNATURE-----