New patch to review for coreboot: 7daa860 nvramcui: fix a buffer overflow - coreboot-gerrit

24 Feb 2015

Lubomir Rintel (lkundrak@v3.sk) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/8527
-gerrit
commit 7daa860a0f0cd66b3a7645141da44dc4ac73948a
Author: Lubomir Rintel lkundrak@v3.sk
Date:   Sun Feb 1 16:56:58 2015 +0100
nvramcui: fix a buffer overflow
Missing parentheses around addition.
==22611== Invalid write of size 8
    ==22611==    at 0x401B26: main (nvramcui.c:146)
    ==22611==  Address 0x5a67c40 is 32 bytes inside a block of size 33 alloc'd
    ==22611==    at 0x4C2BC0F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==22611==    by 0x401AA9: main (nvramcui.c:137)
Change-Id: I9fd6a619dd03ebaaa066bca8fa5838e76374c984
    Signed-off-by: Lubomir Rintel lkundrak@v3.sk
---
 payloads/nvramcui/nvramcui.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/payloads/nvramcui/nvramcui.c b/payloads/nvramcui/nvramcui.c
index 6543548..b6cc4cd 100644
--- a/payloads/nvramcui/nvramcui.c
+++ b/payloads/nvramcui/nvramcui.c
@@ -149,7 +149,7 @@ int main()
    			cmos_enum = next_cmos_enum_of_id(cmos_enum, option->config_id);
    		}
-			char **values = malloc(sizeof(char*)*numvals + 1);
+			char **values = malloc(sizeof(char*)*(numvals + 1));
    		int cnt = 0;
cmos_enum = first_cmos_enum_of_id(opttbl, option->config_id);

    