From fc27181f9e51441a26b7eb4f62794b5e9a994644 Mon Sep 17 00:00:00 2001 From: Bartosz Tomczyk Date: Tue, 31 Jan 2017 12:02:20 +0100 Subject: [PATCH] glsl: fix heap-buffer-overflow MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The `end+1` skips the ']', whereas the `strlen+1` includes the final '\0' in the move to terminate the string. Cc: mesa-stable@lists.freedesktop.org Reviewed-by: Eric Engestrom Reviewed-by: Nicolai Hähnle --- src/compiler/glsl/link_uniforms.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp index 8930d26a5ca..e9a20530b57 100644 --- a/src/compiler/glsl/link_uniforms.cpp +++ b/src/compiler/glsl/link_uniforms.cpp @@ -535,7 +535,7 @@ private: const char *str_end; while((str_start = strchr(name_copy, '[')) && (str_end = strchr(name_copy, ']'))) { - memmove(str_start, str_end + 1, 1 + strlen(str_end)); + memmove(str_start, str_end + 1, 1 + strlen(str_end + 1)); } unsigned index = 0; -- 2.30.2