From: Ben Pfaff <blp@cs.stanford.edu>
Date: Thu, 15 Mar 2012 05:05:54 +0000 (-0700)
Subject: ods-reader: Fix write beyond end of buffer.
X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fbuilds%2F20120316030503%2Fpspp;p=pspp

ods-reader: Fix write beyond end of buffer.

The compiler multiplies by sizeof *var_spec for us here, so doing
it ourselves writes past the end of the allocated space.

Tracked down with valgrind.

Reported-by: bojo42 <bojo42@gmail.com>
---

diff --git a/src/data/ods-reader.c b/src/data/ods-reader.c
index 122e98c76d..aedea078df 100644
--- a/src/data/ods-reader.c
+++ b/src/data/ods-reader.c
@@ -462,7 +462,7 @@ ods_open_reader (struct spreadsheet_read_info *gri, struct dictionary **dict)
 		  var_spec = xrealloc (var_spec, sizeof (*var_spec) * (idx + 1));
 
 		  /* xrealloc (unlike realloc) doesn't initialise its memory to 0 */
-		  memset (var_spec + n_var_specs * sizeof (*var_spec),
+		  memset (var_spec + n_var_specs,
 			  0, 
 			  (n_var_specs - idx + 1) * sizeof (*var_spec));
 		  n_var_specs = idx + 1;