Fix a buffer overflow. Which accounted for the size of the path, plus the the

'/', plus the size of the test command.  It did not account for the terminating
NULL, which overwrote the end of the string.
 -Erik

diff --git a/findutils/which.c b/findutils/which.c
index 1d75244654571c73923d20a97c0aa4473cab74fc..08813c149a56882e865453102374e34b7534a54c 100644 (file)
--- a/findutils/which.c
+++ b/findutils/which.c
@@ -53,7 +53,7 @@ extern int which_main(int argc, char **argv)
                argv++;
                found = 0;
                for (i = 0; i < count; i++) {
-                       char buf[strlen(path_n)+1+strlen(*argv)];
+                       char buf[strlen(path_n)+strlen(*argv)+2];
                        strcpy (buf, path_n);
                        strcat (buf, "/");
                        strcat (buf, *argv);

diff --git a/which.c b/which.c
index 1d75244654571c73923d20a97c0aa4473cab74fc..08813c149a56882e865453102374e34b7534a54c 100644 (file)
--- a/which.c
+++ b/which.c
@@ -53,7 +53,7 @@ extern int which_main(int argc, char **argv)
                argv++;
                found = 0;
                for (i = 0; i < count; i++) {
-                       char buf[strlen(path_n)+1+strlen(*argv)];
+                       char buf[strlen(path_n)+strlen(*argv)+2];
                        strcpy (buf, path_n);
                        strcat (buf, "/");
                        strcat (buf, *argv);