From 3835cae3cb1ad1073cbb2711f938beb878b4986c Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Wed, 28 Dec 2011 20:53:45 -0800 Subject: Make sure to leave room for trailing nil byte in yyGetNumber ...though really, by the time you've added 1023 digits to the number you want to parse, you've got much bigger problems than an off-by-one error in your buffer count. Fixes parfait warnings: Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf' Array size is 1024 bytes, nInBuf >= 1 and nInBuf <= 1024 at line 625 of xkbscan.c in function 'yyGetNumber'. Buffer overflow (CWE 120): In array dereference of (*buf)[nInBuf] with index 'nInBuf' Array size is 1024 bytes, nInBuf <= 1025 at line 632 of xkbscan.c in function 'yyGetNumber'. [ This bug was found by the Parfait 0.4.2 bug checking tool. For more information see http://labs.oracle.com/projects/parfait/ ] Signed-off-by: Alan Coopersmith --- xkbscan.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'xkbscan.c') diff --git a/xkbscan.c b/xkbscan.c index 814a123..22a034f 100644 --- a/xkbscan.c +++ b/xkbscan.c @@ -615,16 +615,16 @@ yyGetNumber(int ch) nInBuf = 1; while (((ch = scanchar()) != EOF) && (isxdigit(ch) || ((nInBuf == 1) && (ch == 'x'))) - && nInBuf < nMaxBuffSize) + && nInBuf < (nMaxBuffSize - 1)) { buf[nInBuf++] = ch; } - if (ch == '.') + if ((ch == '.') && (nInBuf < (nMaxBuffSize - 1))) { isFloat = 1; buf[nInBuf++] = ch; while (((ch = scanchar()) != EOF) && (isxdigit(ch)) - && nInBuf < nMaxBuffSize) + && nInBuf < (nMaxBuffSize - 1)) { buf[nInBuf++] = ch; } -- cgit v1.2.3