[LLVMdev] A potential single buffer overflow in program.inc for win32

[cradnil]

  // First, determine the length of the command line.
  unsigned len = 0;
  for (unsigned i = 0; args[i]; i++) {
    len += strlen(args[i]) + 1;
    if (strchr(args[i], ' '))
      len += 2;
  }

  // Now build the command line.
  char *command = reinterpret_cast<char *>(_alloca(len));    // should use len+1 to fix this 
  char *p = command;

  for (unsigned i = 0; args[i]; i++) {
    const char *arg = args[i];
    size_t len = strlen(arg);
    bool needsQuoting = strchr(arg, ' ') != 0;
    if (needsQuoting)
      *p++ = '"';
    memcpy(p, arg, len);
    p += len;
    if (needsQuoting)
      *p++ = '"';
    *p++ = ' ';
  }

  *p = 0;    // this may write beyond the boundary


2008-01-23 



cradnil 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20080123/62cc56be/attachment.html>