svn commit: r227947 - head/usr.sbin/tzsetup
Max Khon
fjoe at FreeBSD.org
Thu Nov 24 18:45:23 UTC 2011
Author: fjoe
Date: Thu Nov 24 18:45:23 2011
New Revision: 227947
URL: http://svn.freebsd.org/changeset/base/227947
Log:
calloc +1 DIALOG_LISTITEM to prevent possible wild pointer access
in dlg_default_listitem().
Modified:
head/usr.sbin/tzsetup/tzsetup.c
Modified: head/usr.sbin/tzsetup/tzsetup.c
==============================================================================
--- head/usr.sbin/tzsetup/tzsetup.c Thu Nov 24 18:44:14 2011 (r227946)
+++ head/usr.sbin/tzsetup/tzsetup.c Thu Nov 24 18:45:23 2011 (r227947)
@@ -76,14 +76,14 @@ static int
xdialog_menu(const char *title, const char *cprompt, int height, int width,
int menu_height, int item_no, dialogMenuItem *ditems)
{
- int i, result, choice;
+ int i, result, choice = 0;
DIALOG_LISTITEM *listitems;
DIALOG_VARS save_vars;
dlg_save_vars(&save_vars);
/* initialize list items */
- listitems = dlg_calloc(DIALOG_LISTITEM, item_no);
+ listitems = dlg_calloc(DIALOG_LISTITEM, item_no + 1);
assert_ptr(listitems, "xdialog_menu");
for (i = 0; i < item_no; i++) {
listitems[i].name = ditems[i].prompt;
@@ -111,7 +111,7 @@ xdialog_menu(const char *title, const ch
width = COLS;
again:
- dialog_vars.default_item = ditems[choice].prompt;
+ dialog_vars.default_item = listitems[choice].name;
result = dlg_menu(title, cprompt, height, width,
menu_height, item_no, listitems, &choice, NULL);
switch (result) {
More information about the svn-src-all
mailing list