From: Matthew Dillon <dillon@dragonflybsd.org>
Date: Sat, 26 Jul 2008 21:24:50 +0000 (+0000)
Subject: MFC: An off-by-one malloc size was corrupting the installer's memory,
X-Git-Tag: v2.0.1~54
X-Git-Url: https://repo.or.cz/w/dragonfly.git/commitdiff_plain/91cace5e3900913254b4066591f700abfa6aacb0

MFC: An off-by-one malloc size was corrupting the installer's memory,
causing the time-zone selector to seg-fault.

Submitted-by: Pierre Riteau <pierre.riteau@gmail.com>
---

diff --git a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c
index 53996a6703..30f6764963 100644
--- a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c
+++ b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c
@@ -285,7 +285,7 @@ dfui_caps_fe_ll_request(struct dfui_connection *c, char msgtype, const char *msg
 	 * Construct a message.
 	 */
 
-	fmsg = aura_malloc(strlen(msg) + 1, "exchange message");
+	fmsg = aura_malloc(strlen(msg) + 2, "exchange message");
 	fmsg[0] = msgtype;
 	strcpy(fmsg + 1, msg);
 	dfui_debug("SEND<<%s>>\n", fmsg);
diff --git a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c
index ab6510a2f4..a62fa6984b 100644
--- a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c
+++ b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c
@@ -340,7 +340,7 @@ dfui_npipe_fe_ll_request(struct dfui_connection *c, char msgtype, const char *ms
 	 * Construct a message.
 	 */
 
-	fmsg = malloc(strlen(msg) + 1);
+	fmsg = malloc(strlen(msg) + 2);
 	fmsg[0] = msgtype;
 	strcpy(fmsg + 1, msg);
 
diff --git a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c
index 52a0478830..960e17b3be 100644
--- a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c
+++ b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c
@@ -394,7 +394,7 @@ dfui_tcp_fe_ll_request(struct dfui_connection *c, char msgtype, const char *msg)
 	 * Construct a message.
 	 */
 
-	fmsg = malloc(strlen(msg) + 1);
+	fmsg = malloc(strlen(msg) + 2);
 	fmsg[0] = msgtype;
 	strcpy(fmsg + 1, msg);
 	dfui_debug("SEND<<%s>>\n", fmsg);