diff options
| author | Daniel Rosenberg <drosen@google.com> | 2016-04-12 16:30:28 -0700 |
|---|---|---|
| committer | Daniel Rosenberg <drosen@google.com> | 2016-04-12 16:38:41 -0700 |
| commit | db4638ee3044dff2c211f89ac5a19a9734c6b62d (patch) | |
| tree | 591e8a41c78c4d213db405fe90e2d09066fbe0c7 /sdcard | |
| parent | a3a7a886f5277b6223140761e58cea0753854225 (diff) | |
| download | system_core-db4638ee3044dff2c211f89ac5a19a9734c6b62d.tar.gz system_core-db4638ee3044dff2c211f89ac5a19a9734c6b62d.tar.bz2 system_core-db4638ee3044dff2c211f89ac5a19a9734c6b62d.zip | |
Fix overflow in path building
An incorrect size was causing an unsigned value
to wrap, causing it to write past the end of
the buffer.
Bug: 28085658
Change-Id: Ie9625c729cca024d514ba2880ff97209d435a165
Diffstat (limited to 'sdcard')
| -rw-r--r-- | sdcard/sdcard.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c index befe38c9e..5c18f26a4 100644 --- a/sdcard/sdcard.c +++ b/sdcard/sdcard.c @@ -341,7 +341,7 @@ static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize ssize_t pathlen = 0; if (node->parent && node->graft_path == NULL) { - pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 2); + pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 1); if (pathlen < 0) { return -1; } |