> char *p, *q, *pathend; > char *element; > int len; > > pathend = path + strlen(path); > p = path + 1; > q = strchr(p, '/'); > if (!q) > q = pathend; > > len = q - p; > element = malloc(len + 1); > if (element == NULL) > return 1; > > strncpy(element, p, len); > element[len] = '\0'; > > Are you sure that this can't overflow?
len is bound to the size of path - 1, which is itself bound to BUFFERSIZE by the readline call that fills that buffer, so len will always be smaller than 2048 bytes and therefore the strncpy call that fills element won't be able to overflow it and will always have an extra byte for the terminating character. Carlo -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
