summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChristopher R. Palmer <crpalmer@gmail.com>2014-09-22 14:35:54 -0400
committerElliott Hughes <enh@google.com>2015-01-07 12:18:00 -0800
commitba95be58c596aa7b5034b1bce8f3fde97ae08780 (patch)
tree335caf206aab4331ce1c2bfdce329b814afc611f
parent4fca59181c838b91572d1b57cb74b26d0a70528f (diff)
downloadsystem_core-ba95be58c596aa7b5034b1bce8f3fde97ae08780.zip
system_core-ba95be58c596aa7b5034b1bce8f3fde97ae08780.tar.gz
system_core-ba95be58c596aa7b5034b1bce8f3fde97ae08780.tar.bz2
init: Fix memory corruption when sanitizing platform paths
This commit fixes code that incorrectly increments s when it hits the terminator character of the string being sanitized. This means it will randomly start trashing memory beyond the end of the string being sanitized until it happens to hit two NULs (\0\0) which will break it out of the loop. (cherry picked from commit 07f3fee164bd7ba14ce9b2dd3818006f07162845) Bug: 18885357 Change-Id: If6b01fe2b9bd5985f08f1278deb03b311d0170dc
-rw-r--r--init/util.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/init/util.c b/init/util.c
index 0f69e1c..e1a3ee3 100644
--- a/init/util.c
+++ b/init/util.c
@@ -329,9 +329,9 @@ void sanitize(char *s)
if (!s)
return;
- for (; *s; s++) {
+ while (*s) {
s += strspn(s, accept);
- if (*s) *s = '_';
+ if (*s) *s++ = '_';
}
}