From 76d210c4b80b72a42db68567562a89f55a12124d Mon Sep 17 00:00:00 2001 From: helixhorned Date: Tue, 3 Jan 2012 19:55:55 +0000 Subject: [PATCH] Patch up access of malloc'd buffer one byte beyond its size in kplib's JPEG decoder (unearthed by valgrind). git-svn-id: https://svn.eduke32.com/eduke32@2231 1a8010ca-5511-0410-912e-c29ae57300e0 --- polymer/eduke32/build/src/kplib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/polymer/eduke32/build/src/kplib.c b/polymer/eduke32/build/src/kplib.c index 368b5c8c1..5bb8f07fa 100644 --- a/polymer/eduke32/build/src/kplib.c +++ b/polymer/eduke32/build/src/kplib.c @@ -1658,7 +1658,7 @@ static int32_t kpegrend(const char *kfilebuf, int32_t kfilength, { while (curbits < 16) //Getbits { - ch = *kfileptr++; + ch = *kfileptr++; // BUF_LENG_READ if (ch == 255) kfileptr++; num = (num<<8)+((int32_t)ch); curbits += 8; } @@ -3294,7 +3294,8 @@ void kpzload(const char *filnam, intptr_t *pic, int32_t *bpl, int32_t *xsiz, int (*pic) = 0; if (handle < 0) return; leng = kfilelength(handle); - buf = (char *)Bmalloc(leng); if (!buf) return; + buf = (char *)Bmalloc(leng+1); if (!buf) return; + buf[leng]=0; // FIXME: buf[leng] read in kpegrend(), see BUF_LENG_READ kread(handle,buf,leng); kclose(handle);