blob: f0ebe2dec952010f6761aa1bb7825ea59b28a93d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Trying to add a menu item using menu_add_item causes a segmentation fault
in the LCDd server. This is caused by a read beyond the end of an array.
This patch adds a safety check on the size of the argument array.
Signed-off-by: Simon Dawson <spdawson@gmail.com>
diff -Nurp a/server/commands/menu_commands.c b/server/commands/menu_commands.c
--- a/server/commands/menu_commands.c 2011-08-14 13:29:16.000000000 +0100
+++ b/server/commands/menu_commands.c 2012-10-04 22:19:07.997409193 +0100
@@ -198,7 +198,7 @@ menu_add_item_func(Client *c, int argc,
/* call menu_set_item() with a temporarily allocated argv
* to process the remaining options */
- if ((argc > 5) || (argv[4][0] == '-')) {
+ if ((argc > 5) || ((argc == 5) && argv[4][0] == '-')) {
// menu_add_item <menuid> <newitemid> <type> [<text>]
// menu_set_item <menuid> <itemid> {<option>}+
int i, j;
|
