Menu
▾
▴
#10 Memory allocation bug in prefs.c
I think there is a bug in prefs.c in line 49 where it says:
filename = malloc (len + 12);
strcpy (filename, home);
if (filename[len-1] != '/')
filename[len++] = '/';
strcpy (filename+len, ".mindlessrc");
If the if-condition is true, the null byte will be written past the end of the buffer because the buffer is len + 12 bytes long and the resulting string is len + 13 bytes long. Under certain circumstances, this leads to the null byte being overwritten, resulting in a wrong (longer) file name. The bug can be fixed by allocating one byte more.
