module: Fix off-by-one error in findpath()

We need to make sure that 'path' still has enough space to write the
trailing NUL-byte. Without this patch it's possible to write a
NUL-byte past the end of the on-stack buffer.

Signed-off-by: Matt Fleming <matt.fleming@intel.com>

diff --git a/com32/lib/sys/module/common.c b/com32/lib/sys/module/common.c
index 30c57b4..dfbdf61 100644 (file)
--- a/com32/lib/sys/module/common.c
+++ b/com32/lib/sys/module/common.c
@@ -71,7 +71,7 @@ FILE *findpath(char *name)
        p = PATH;
 again:
        i = 0;
-       while (*p && *p != ':' && i < FILENAME_MAX) {
+       while (*p && *p != ':' && i < FILENAME_MAX - 1) {
                path[i++] = *p++;
        }
 
@@ -79,7 +79,7 @@ again:
                p++;
 
        n = name;
-       while (*n && i < FILENAME_MAX)
+       while (*n && i < FILENAME_MAX - 1)
                path[i++] = *n++;
        path[i] = '\0';