ref: 79e8f53e89d83805784bd2a8832cddc4bc0de608
parent: 265b392e0111e5927a205522d2e257aff495db01
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Jan 13 19:22:13 EST 2014
devdraw: fix memory corruption reading draw ctl file when user does read of exactly 12*12 bytes on draw ctl file, the snprint() adds one more \0 byte writing beyond the user buffer and corrupting memory. fix this by not snprint()ing the final space and add it manually.
--- a/sys/src/9/port/devdraw.c
+++ b/sys/src/9/port/devdraw.c
@@ -1187,10 +1187,11 @@
error(Enodrawimage);
i = di->image;
}
- n = sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d ",
+ n = sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d",
cl->clientid, cl->infoid, chantostr(buf, i->chan), (i->flags&Frepl)==Frepl,
i->r.min.x, i->r.min.y, i->r.max.x, i->r.max.y,
i->clipr.min.x, i->clipr.min.y, i->clipr.max.x, i->clipr.max.y);
+ ((char*)a)[n++] = ' ';
cl->infoid = -1;
break;
--
⑨