Print this page
12786 fix CTF pointer overrun
Reviewed by: Toomas Soome <tsoome@me.com>
Reviewed by: Robert Mustacchi <rm@fingolfin.org>
Approved by: Dan McDonald <danmcd@joyent.com>
@@ -131,11 +131,12 @@
if (isqualifier(p, (size_t)(q - p)))
continue; /* skip qualifier keyword */
for (lp = fp->ctf_lookups; lp->ctl_prefix != NULL; lp++) {
if (lp->ctl_prefix[0] == '\0' ||
- strncmp(p, lp->ctl_prefix, (size_t)(q - p)) == 0) {
+ ((size_t)(q - p) >= lp->ctl_len && strncmp(p,
+ lp->ctl_prefix, (size_t)(q - p)) == 0)) {
for (p += lp->ctl_len; isspace(*p); p++)
continue; /* skip prefix and next ws */
if ((q = strchr(p, '*')) == NULL)
q = end; /* compare until end */