From: Mitchell Hayenga <Mitchell.Hayenga@ARM.com>
Date: Thu, 12 Jan 2012 21:27:20 +0000 (-0600)
Subject: Fix memory corruption issue with CopyStringOut()
X-Git-Tag: stable_2012_06_28~266^2~7
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=698408bce2a2294ab620cb70d6272f33fa75e017;p=gem5.git

Fix memory corruption issue with CopyStringOut()

CopyStringOut() improperly indexed setting the null
character, would result in zeroing a random byte
of memory after(out of bounds) the character array.
---

diff --git a/src/mem/fs_translating_port_proxy.cc b/src/mem/fs_translating_port_proxy.cc
index d202b22bd..c0898a003 100644
--- a/src/mem/fs_translating_port_proxy.cc
+++ b/src/mem/fs_translating_port_proxy.cc
@@ -138,15 +138,19 @@ CopyIn(ThreadContext *tc, Addr dest, void *source, size_t cplen)
 void
 CopyStringOut(ThreadContext *tc, char *dst, Addr vaddr, size_t maxlen)
 {
-    int len = 0;
     char *start = dst;
     FSTranslatingPortProxy* vp = tc->getVirtProxy();
 
-    do {
-        vp->readBlob(vaddr++, (uint8_t*)dst++, 1);
-    } while (len < maxlen && start[len++] != 0 );
+    bool foundNull = false;
+    while ((dst - start + 1) < maxlen && !foundNull) {
+        vp->readBlob(vaddr++, (uint8_t*)dst, 1);
+        if (dst == '\0')
+            foundNull = true;
+        dst++;
+    }
 
-    dst[len] = 0;
+    if (!foundNull)
+        *dst = '\0';
 }
 
 void