ref: 4c7f2e780ad748acd9e8c9702d66669095cb0da0
parent: 884505cfdd3f4e5b0ed8deca65c2d93e3fab11a8
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Mon Jan 13 19:22:13 EST 2014
devdraw: fix memory corruption reading draw ctl file when user does read of exactly 12*12 bytes on draw ctl file, the snprint() adds one more \0 byte writing beyond the user buffer and corrupting memory. fix this by not snprint()ing the final space and add it manually.
--- a/sys/src/9/port/devdraw.c
+++ b/sys/src/9/port/devdraw.c
@@ -1187,10 +1187,11 @@
error(Enodrawimage);
i = di->image;
}
- n = sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d ",
+ n = sprint(a, "%11d %11d %11s %11d %11d %11d %11d %11d %11d %11d %11d %11d",
cl->clientid, cl->infoid, chantostr(buf, i->chan), (i->flags&Frepl)==Frepl,
i->r.min.x, i->r.min.y, i->r.max.x, i->r.max.y,
i->clipr.min.x, i->clipr.min.y, i->clipr.max.x, i->clipr.max.y);
+ ((char*)a)[n++] = ' ';
cl->infoid = -1;
break;
--
⑨