From 91cace5e3900913254b4066591f700abfa6aacb0 Mon Sep 17 00:00:00 2001
From: Matthew Dillon <dillon@dragonflybsd.org>
Date: Sat, 26 Jul 2008 21:24:50 +0000
Subject: [PATCH] MFC: An off-by-one malloc size was corrupting the installer's
 memory, causing the time-zone selector to seg-fault.

Submitted-by: Pierre Riteau <pierre.riteau@gmail.com>
---
 contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c  | 2 +-
 contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c | 2 +-
 contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c   | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c
index 53996a6703..30f6764963 100644
--- a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c
+++ b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_caps.c
@@ -285,7 +285,7 @@ dfui_caps_fe_ll_request(struct dfui_connection *c, char msgtype, const char *msg
 	 * Construct a message.
 	 */
 
-	fmsg = aura_malloc(strlen(msg) + 1, "exchange message");
+	fmsg = aura_malloc(strlen(msg) + 2, "exchange message");
 	fmsg[0] = msgtype;
 	strcpy(fmsg + 1, msg);
 	dfui_debug("SEND<<%s>>\n", fmsg);
diff --git a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c
index ab6510a2f4..a62fa6984b 100644
--- a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c
+++ b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_npipe.c
@@ -340,7 +340,7 @@ dfui_npipe_fe_ll_request(struct dfui_connection *c, char msgtype, const char *ms
 	 * Construct a message.
 	 */
 
-	fmsg = malloc(strlen(msg) + 1);
+	fmsg = malloc(strlen(msg) + 2);
 	fmsg[0] = msgtype;
 	strcpy(fmsg + 1, msg);
 
diff --git a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c
index 52a0478830..960e17b3be 100644
--- a/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c
+++ b/contrib/bsdinstaller-1.1.6/src/lib/libdfui/conn_tcp.c
@@ -394,7 +394,7 @@ dfui_tcp_fe_ll_request(struct dfui_connection *c, char msgtype, const char *msg)
 	 * Construct a message.
 	 */
 
-	fmsg = malloc(strlen(msg) + 1);
+	fmsg = malloc(strlen(msg) + 2);
 	fmsg[0] = msgtype;
 	strcpy(fmsg + 1, msg);
 	dfui_debug("SEND<<%s>>\n", fmsg);
-- 
2.11.4.GIT