From 54c40e033e487b96ff3356d29ab02cc1304f4117 Mon Sep 17 00:00:00 2001 From: James Dong Date: Tue, 29 May 2012 18:05:57 -0700 Subject: [PATCH] Fixed a buffer overflow issue The allocated array has one byte less than the required length. Allocating the size one byte larger fixes the issue. contribution was originally from teng.hong@nxp.com Change-Id: I3aa2e6b995fd18e30649a34f201646082aab44ee related-to-bug: 6347465 --- media/jni/mediaeditor/VideoEditorMain.cpp | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/media/jni/mediaeditor/VideoEditorMain.cpp b/media/jni/mediaeditor/VideoEditorMain.cpp index b0c1c35d905ad..41ec12090e4c0 100755 --- a/media/jni/mediaeditor/VideoEditorMain.cpp +++ b/media/jni/mediaeditor/VideoEditorMain.cpp @@ -2623,16 +2623,21 @@ videoEditor_init( M4OSA_Char* tmpString = (M4OSA_Char *)videoEditJava_getString(&initialized, pEnv, tempPath, NULL, M4OSA_NULL); + M4OSA_UInt32 length = strlen((const char *)tmpString); + // Malloc additional 2 bytes for beginning and tail separator. + M4OSA_UInt32 pathLength = length + 2; + pContext->initParams.pTempPath = (M4OSA_Char *) - M4OSA_32bitAlignedMalloc(strlen((const char *)tmpString) + 1, 0x0, - (M4OSA_Char *)"tempPath"); + M4OSA_32bitAlignedMalloc(pathLength, 0x0, (M4OSA_Char *)"tempPath"); + //initialize the first char. so that strcat works. M4OSA_Char *ptmpChar = (M4OSA_Char*)pContext->initParams.pTempPath; ptmpChar[0] = 0x00; strncat((char *)pContext->initParams.pTempPath, (const char *)tmpString, - (size_t)strlen((const char *)tmpString)); + length); strncat((char *)pContext->initParams.pTempPath, (const char *)"/", (size_t)1); free(tmpString); + tmpString = NULL; pContext->mIsUpdateOverlay = false; pContext->mOverlayFileName = NULL; pContext->decoders = NULL;