From 79e8f53e89d83805784bd2a8832cddc4bc0de608 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Tue, 14 Jan 2014 00:22:13 +0100 Subject: devdraw: fix memory corruption reading draw ctl file when user does read of exactly 12*12 bytes on draw ctl file, the snprint() adds one more \0 byte writing beyond the user buffer and corrupting memory. fix this by not snprint()ing the final space and add it manually. --- sys/src/9/port/devdraw.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/src/9/port/devdraw.c b/sys/src/9/port/devdraw.c index fd939aaeb..30258376f 100644 --- a/sys/src/9/port/devdraw.c +++ b/sys/src/9/port/devdraw.c @@ -1187,10 +1187,11 @@ drawread(Chan *c, void *a, long n, vlong off) error(Enodrawimage); i = di->image; } - n = sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d ", + n = sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d", cl->clientid, cl->infoid, chantostr(buf, i->chan), (i->flags&Frepl)==Frepl, i->r.min.x, i->r.min.y, i->r.max.x, i->r.max.y, i->clipr.min.x, i->clipr.min.y, i->clipr.max.x, i->clipr.max.y); + ((char*)a)[n++] = ' '; cl->infoid = -1; break; -- cgit v1.2.3