From PR:

In fdformat.c a closing parenthesis is at the wrong place. Instead of adding sizeof _PATH_DEV + 1 to the length of argv[optind], the length of the string starting (sizeof _PATH_DEV + 1) characters after argv[optind]'s beginning (accessing junk memory if we jump over the terminating null character) is passed to malloc(). PR: bin/60026 Submitted by: Stefan Farfeleder <stefan@fafoe.narf.at>
author: anholt <anholt@FreeBSD.org> 2004-01-07 05:28:57 +0000
committer: anholt <anholt@FreeBSD.org> 2004-01-07 05:28:57 +0000
commit: 784e993ea23633224ab80274724a9794967dee63 (patch)
tree: 945fb410115f157204938f1a2f0c6a5fe171c800 /usr.sbin
parent: f6253c9b056ace4cec7250af241d170180119755 (diff)
download: FreeBSD-src-784e993ea23633224ab80274724a9794967dee63.zip
FreeBSD-src-784e993ea23633224ab80274724a9794967dee63.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/usr.sbin/fdformat/fdformat.c b/usr.sbin/fdformat/fdformat.c
index 0e624de..dd92a86 100644
--- a/usr.sbin/fdformat/fdformat.c
+++ b/usr.sbin/fdformat/fdformat.c
@@ -205,7 +205,7 @@ main(int argc, char **argv)
 
 	if (stat(argv[optind], &sb) == -1 && errno == ENOENT) {
 		/* try prepending _PATH_DEV */
-		device = malloc(strlen(argv[optind] + sizeof _PATH_DEV + 1));
+		device = malloc(strlen(argv[optind]) + sizeof(_PATH_DEV) + 1);
 		if (device == 0)
 			errx(EX_UNAVAILABLE, "out of memory");
 		strcpy(device, _PATH_DEV);
author	anholt <anholt@FreeBSD.org>	2004-01-07 05:28:57 +0000
committer	anholt <anholt@FreeBSD.org>	2004-01-07 05:28:57 +0000
commit	784e993ea23633224ab80274724a9794967dee63 (patch)
tree	945fb410115f157204938f1a2f0c6a5fe171c800 /usr.sbin
parent	f6253c9b056ace4cec7250af241d170180119755 (diff)
download	FreeBSD-src-784e993ea23633224ab80274724a9794967dee63.zip FreeBSD-src-784e993ea23633224ab80274724a9794967dee63.tar.gz