[Ming-dev] [patch] Fix a buffer overflow.

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Fix a buffer overflow.

1) Allocate sufficient memory to hold each contained pointer.
2) Copy each import path into a new buffer, because each path is
    pointing to optarg, which cannot be assumed to be valid after
    a new call to getopt().

The allocated memory is never freed, but that doesn't seem to be a big
issue in this program.

diff --git a/util/makeswf.c b/util/makeswf.c
index 4fdc826..4227f11 100644
--- a/util/makeswf.c
+++ b/util/makeswf.c
@@ -64,6 +64,7 @@
  #include <sys/types.h>
  #include <sys/stat.h>
  #include <limits.h>
+#include <assert.h>
  #include <ming.h>
  #include <ming_config.h>
  #include "makeswf.h"
@@ -443,16 +444,22 @@ main (int argc, char **argv)
  static void
  add_import_spec(char *spec)
  {
+	int bytes_per_ptr = sizeof(char**);
  	if ( numimport_specs == 0 )
  	{
-		import_specs = (char **)malloc(1);
+		import_specs = (char **)malloc(1 * bytes_per_ptr);
  	}
  	else
  	{
  		import_specs = (char **)realloc(import_specs,
-				numimport_specs+1);
+				(numimport_specs+1) * bytes_per_ptr);
  	}
-	import_specs[numimport_specs] = spec;
+
+	char* buf = malloc(strlen(spec)+1);
+	assert(buf);
+	strcpy(buf, spec);
+
+	import_specs[numimport_specs] = buf;
  	numimport_specs++;
  }



