[FIX] buffer overflow in download-provider.

when building SQL queries, allocate one more byte to account for the
separator char *and* the termination nul byte.

Bug-Tizen: TC-10
Change-Id: Ic98ad19b13245c5d594e1c5de5b80671c67b25bb
Signed-off-by: Romuald Texier-Marcadé <romuald.texier-marcade@open.eurogiciel.org>

diff --git a/provider/download-provider-db.c b/provider/download-provider-db.c
index 8a86d30..9b9f32c 100755 (executable)
--- a/provider/download-provider-db.c
+++ b/provider/download-provider-db.c
@@ -1768,7 +1768,7 @@ static char *__merge_strings(char *dest, const char *src, char sep)
        dest_length = strlen(dest);
        src_length = strlen(src);
 
-       temp_dest = sqlite3_realloc(dest, dest_length + src_length + 1);
+       temp_dest = sqlite3_realloc(dest, dest_length + src_length + 2);
        if (temp_dest == NULL) {
                free(dest);
                return NULL;