Re: gerbv crashes (was Re: gEDA-user: gerbv 1.0 on RH8)

[Stefan Petersen <spe@xxxxxxxxxxxxxx>]

On Tue, 15 Feb 2005, Stefan Petersen wrote:

> On Tue, 8 Feb 2005, Tomasz Motylewski wrote:
>
> > Hallo,
> >
> > > Yesssssssssssss.... That was it. Changing "1" to "2" did the trick.
> > > Core dumps is gone...
> > > "gerbv" works as a charm on RH8.
> >
> > > > > 842         filename = dirname(filename);
> > > > > 843         if (screen.path)
> > > > > 844             free(screen.path);
> > > > > 845         screen.path = (char *)malloc(strlen(filename) + 1);
> > > > > 846         strcpy(screen.path, filename);
> > > > > 847         screen.path = strncat(screen.path, "/", 1);
> > > >
> > > > This is it (in fact it is a classical one)!
> > > >
> > > > strlen(filename) gives the length of filename EXCLUDING the trailing
> > > > \0. A buffer of size strlen(filename)+1 does have just enough space to
> > > > include the trailing \0. When appending "/", you write past the end of
> > > > that buffer. You have to change the +1 to a +2.
> > > >
> > > > 73, Mario
> > > > - --
> > > > Mario Klebsch                                           mario@xxxxxxxxxx
> >
> >
> > I have commited this bugfix to 1.0 and to the main gerbv branch. The 
> > changes
> > may need a few hours to show in the anonymous CVS on SourceForge.
> >
> > There were also some other "off by 1" bugs which I have fixed as well (just
> > searched for all strlen() :-)
>
> DOOH!
>
> Thanks for fixing my screw ups, Tomasz!

And _of course_ thanks to Mario and primorec for finding and solving this 
hard to catch bug.

/spe