[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH 17/32] readline: fix memory corruption when adding history



From: Kaifeng Zhu <kaifeng.zhu@xxxxxxxxxx>

idx can be down to 0, so TERM_MAX_CMDS-idx+1 could be TERM_MAX_CMDS+1, which
exceeds the size of term_history.

Signed-off-by: Kaifeng Zhu <kaifeng.zhu@xxxxxxxxxx>
Coverity-ID: 1055739
Reviewed-by: Andrew Cooper <andrew.cooper3@xxxxxxxxxx>
---
 readline.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/readline.c b/readline.c
index 8572841..4b68726 100644
--- a/readline.c
+++ b/readline.c
@@ -267,7 +267,7 @@ static void term_hist_add(const char *cmdline)
            new_entry = hist_entry;
            /* Put this entry at the end of history */
            memmove(&term_history[idx], &term_history[idx + 1],
-                   (TERM_MAX_CMDS - idx + 1) * sizeof(char *));
+                   (TERM_MAX_CMDS - (idx + 1)) * sizeof(char *));
            term_history[TERM_MAX_CMDS - 1] = NULL;
            for (; idx < TERM_MAX_CMDS; idx++) {
                if (term_history[idx] == NULL)
-- 
1.7.10.4


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.