teambeef/raze
0
0
Fork 0
mirror of https://github.com/DrBeef/Raze.git synced 2024-11-16 01:11:28 +00:00
Code Issues Projects Releases Packages Wiki Activity

Patch up access of malloc'd buffer one byte beyond its size in kplib's

Browse source 
JPEG decoder (unearthed by valgrind).

git-svn-id: https://svn.eduke32.com/eduke32@2231 1a8010ca-5511-0410-912e-c29ae57300e0
This commit is contained in:
helixhorned 2012-01-03 19:55:55 +00:00
parent f87c0db3ce
commit 76d210c4b8
1 changed files with 3 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
polymer/eduke32/build/src/kplib.c
View file

@ -1658,7 +1658,7 @@ static int32_t kpegrend(const char *kfilebuf, int32_t kfilength,
{
while (curbits < 16) //Getbits
{
ch = *kfileptr++;
ch = *kfileptr++; // BUF_LENG_READ
if (ch == 255) kfileptr++;
num = (num<<8)+((int32_t)ch); curbits += 8;
}
@ -3294,7 +3294,8 @@ void kpzload(const char *filnam, intptr_t *pic, int32_t *bpl, int32_t *xsiz, int
(*pic) = 0;
if (handle < 0) return;
leng = kfilelength(handle);
buf = (char *)Bmalloc(leng); if (!buf) return;
buf = (char *)Bmalloc(leng+1); if (!buf) return;
buf[leng]=0; // FIXME: buf[leng] read in kpegrend(), see BUF_LENG_READ
kread(handle,buf,leng);
kclose(handle);