From db4638ee3044dff2c211f89ac5a19a9734c6b62d Mon Sep 17 00:00:00 2001 From: Daniel Rosenberg Date: Tue, 12 Apr 2016 16:30:28 -0700 Subject: [PATCH] Fix overflow in path building An incorrect size was causing an unsigned value to wrap, causing it to write past the end of the buffer. Bug: 28085658 Change-Id: Ie9625c729cca024d514ba2880ff97209d435a165 --- sdcard/sdcard.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdcard/sdcard.c b/sdcard/sdcard.c index befe38c9e..5c18f26a4 100644 --- a/sdcard/sdcard.c +++ b/sdcard/sdcard.c @@ -341,7 +341,7 @@ static ssize_t get_node_path_locked(struct node* node, char* buf, size_t bufsize ssize_t pathlen = 0; if (node->parent && node->graft_path == NULL) { - pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 2); + pathlen = get_node_path_locked(node->parent, buf, bufsize - namelen - 1); if (pathlen < 0) { return -1; }