fix bad memmove size (reading past buffer bounds)

author: Campbell Barton <ideasman42@gmail.com> 2013-04-05 07:44:07 +0400
committer: Campbell Barton <ideasman42@gmail.com> 2013-04-05 07:44:07 +0400
commit: 7ce6bfb17bdb6441af1e85c5c12ef0fb0f79ee96 (patch)
tree: b805b574d21010eb247b8c2550b20f818f7c00d1 /source/blender/editors/space_console
parent: 6297eb7da71eb2adfb59d9d949f530fc2b2a6287 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/source/blender/editors/space_console/console_ops.c b/source/blender/editors/space_console/console_ops.c
index 74f776549e9..a6379e6465f 100644
--- a/source/blender/editors/space_console/console_ops.c
+++ b/source/blender/editors/space_console/console_ops.c
@@ -225,7 +225,12 @@ static void console_line_verify_length(ConsoleLine *ci, int len)
 {
 	/* resize the buffer if needed */
 	if (len >= ci->len_alloc) {
-		int new_len = len * 2; /* new length */
+		/* new length */
+#ifndef NDEBUG
+		int new_len = len + 1;
+#else
+		int new_len = (len + 1) * 2;
+#endif
 		char *new_line = MEM_callocN(new_len, "console line");
 		memcpy(new_line, ci->line, ci->len);
 		MEM_freeN(ci->line);
@@ -582,7 +587,7 @@ static int console_delete_exec(bContext *C, wmOperator *op)
 				stride = ci->cursor - pos;
 				if (stride) {
 					ci->cursor -= stride; /* same as above */
-					memmove(ci->line + ci->cursor, ci->line + ci->cursor + stride, (ci->len - ci->cursor) + 1);
+					memmove(ci->line + ci->cursor, ci->line + ci->cursor + stride, (ci->len - (ci->cursor + stride)) + 1);
 					ci->len -= stride;
 					BLI_assert(ci->len >= 0);
 					done = TRUE;
author	Campbell Barton <ideasman42@gmail.com>	2013-04-05 07:44:07 +0400
committer	Campbell Barton <ideasman42@gmail.com>	2013-04-05 07:44:07 +0400
commit	7ce6bfb17bdb6441af1e85c5c12ef0fb0f79ee96 (patch)
tree	b805b574d21010eb247b8c2550b20f818f7c00d1 /source/blender/editors/space_console
parent	6297eb7da71eb2adfb59d9d949f530fc2b2a6287 (diff)