From owner-svn-src-all@FreeBSD.ORG Thu Nov 24 18:45:23 2011 Return-Path: Delivered-To: svn-src-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 683E71065672; Thu, 24 Nov 2011 18:45:23 +0000 (UTC) (envelope-from fjoe@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 587398FC16; Thu, 24 Nov 2011 18:45:23 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.4/8.14.4) with ESMTP id pAOIjNhX008060; Thu, 24 Nov 2011 18:45:23 GMT (envelope-from fjoe@svn.freebsd.org) Received: (from fjoe@localhost) by svn.freebsd.org (8.14.4/8.14.4/Submit) id pAOIjNvY008058; Thu, 24 Nov 2011 18:45:23 GMT (envelope-from fjoe@svn.freebsd.org) Message-Id: <201111241845.pAOIjNvY008058@svn.freebsd.org> From: Max Khon Date: Thu, 24 Nov 2011 18:45:23 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r227947 - head/usr.sbin/tzsetup X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 18:45:23 -0000 Author: fjoe Date: Thu Nov 24 18:45:23 2011 New Revision: 227947 URL: http://svn.freebsd.org/changeset/base/227947 Log: calloc +1 DIALOG_LISTITEM to prevent possible wild pointer access in dlg_default_listitem(). Modified: head/usr.sbin/tzsetup/tzsetup.c Modified: head/usr.sbin/tzsetup/tzsetup.c ============================================================================== --- head/usr.sbin/tzsetup/tzsetup.c Thu Nov 24 18:44:14 2011 (r227946) +++ head/usr.sbin/tzsetup/tzsetup.c Thu Nov 24 18:45:23 2011 (r227947) @@ -76,14 +76,14 @@ static int xdialog_menu(const char *title, const char *cprompt, int height, int width, int menu_height, int item_no, dialogMenuItem *ditems) { - int i, result, choice; + int i, result, choice = 0; DIALOG_LISTITEM *listitems; DIALOG_VARS save_vars; dlg_save_vars(&save_vars); /* initialize list items */ - listitems = dlg_calloc(DIALOG_LISTITEM, item_no); + listitems = dlg_calloc(DIALOG_LISTITEM, item_no + 1); assert_ptr(listitems, "xdialog_menu"); for (i = 0; i < item_no; i++) { listitems[i].name = ditems[i].prompt; @@ -111,7 +111,7 @@ xdialog_menu(const char *title, const ch width = COLS; again: - dialog_vars.default_item = ditems[choice].prompt; + dialog_vars.default_item = listitems[choice].name; result = dlg_menu(title, cprompt, height, width, menu_height, item_no, listitems, &choice, NULL); switch (result) {