diff options
author | Christopher R. Palmer <crpalmer@gmail.com> | 2014-09-22 14:35:54 -0400 |
---|---|---|
committer | Elliott Hughes <enh@google.com> | 2015-01-07 12:18:00 -0800 |
commit | ba95be58c596aa7b5034b1bce8f3fde97ae08780 (patch) | |
tree | 335caf206aab4331ce1c2bfdce329b814afc611f | |
parent | 4fca59181c838b91572d1b57cb74b26d0a70528f (diff) | |
download | system_core-ba95be58c596aa7b5034b1bce8f3fde97ae08780.zip system_core-ba95be58c596aa7b5034b1bce8f3fde97ae08780.tar.gz system_core-ba95be58c596aa7b5034b1bce8f3fde97ae08780.tar.bz2 |
init: Fix memory corruption when sanitizing platform paths
This commit fixes code that incorrectly increments s when it
hits the terminator character of the string being sanitized.
This means it will randomly start trashing memory beyond the
end of the string being sanitized until it happens to hit two
NULs (\0\0) which will break it out of the loop.
(cherry picked from commit 07f3fee164bd7ba14ce9b2dd3818006f07162845)
Bug: 18885357
Change-Id: If6b01fe2b9bd5985f08f1278deb03b311d0170dc
-rw-r--r-- | init/util.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/init/util.c b/init/util.c index 0f69e1c..e1a3ee3 100644 --- a/init/util.c +++ b/init/util.c @@ -329,9 +329,9 @@ void sanitize(char *s) if (!s) return; - for (; *s; s++) { + while (*s) { s += strspn(s, accept); - if (*s) *s = '_'; + if (*s) *s++ = '_'; } } |