From: Bartosz Tomczyk <bartosz.tomczyk86@gmail.com>
Date: Tue, 31 Jan 2017 11:02:20 +0000 (+0100)
Subject: glsl: fix heap-buffer-overflow
X-Git-Url: https://git.libre-soc.org/?a=commitdiff_plain;h=fc27181f9e51441a26b7eb4f62794b5e9a994644;p=mesa.git

glsl: fix heap-buffer-overflow

The `end+1` skips the ']', whereas the `strlen+1` includes the final
'\0' in the move to terminate the string.

Cc: mesa-stable@lists.freedesktop.org
Reviewed-by: Eric Engestrom <eric.engestrom@imgtec.com>
Reviewed-by: Nicolai Hähnle <nicolai.haehnle@amd.com>
---

diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp
index 8930d26a5ca..e9a20530b57 100644
--- a/src/compiler/glsl/link_uniforms.cpp
+++ b/src/compiler/glsl/link_uniforms.cpp
@@ -535,7 +535,7 @@ private:
             const char *str_end;
             while((str_start = strchr(name_copy, '[')) &&
                   (str_end = strchr(name_copy, ']'))) {
-               memmove(str_start, str_end + 1, 1 + strlen(str_end));
+               memmove(str_start, str_end + 1, 1 + strlen(str_end + 1));
             }
 
             unsigned index = 0;