diff options
author | Bartosz Tomczyk <[email protected]> | 2017-01-31 12:02:20 +0100 |
---|---|---|
committer | Nicolai Hähnle <[email protected]> | 2017-01-31 15:58:52 +0100 |
commit | fc27181f9e51441a26b7eb4f62794b5e9a994644 (patch) | |
tree | 22919214af47575210fa4482e98d15afb4bcff89 /src/compiler/glsl | |
parent | 658568941d5e232d690e1ffbcddbd6ea9685693a (diff) |
glsl: fix heap-buffer-overflow
The `end+1` skips the ']', whereas the `strlen+1` includes the final
'\0' in the move to terminate the string.
Cc: [email protected]
Reviewed-by: Eric Engestrom <[email protected]>
Reviewed-by: Nicolai Hähnle <[email protected]>
Diffstat (limited to 'src/compiler/glsl')
-rw-r--r-- | src/compiler/glsl/link_uniforms.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/compiler/glsl/link_uniforms.cpp b/src/compiler/glsl/link_uniforms.cpp index 8930d26a5ca..e9a20530b57 100644 --- a/src/compiler/glsl/link_uniforms.cpp +++ b/src/compiler/glsl/link_uniforms.cpp @@ -535,7 +535,7 @@ private: const char *str_end; while((str_start = strchr(name_copy, '[')) && (str_end = strchr(name_copy, ']'))) { - memmove(str_start, str_end + 1, 1 + strlen(str_end)); + memmove(str_start, str_end + 1, 1 + strlen(str_end + 1)); } unsigned index = 0; |