media-ctl: Fix off-by-one buffer overflow with readlink

readlink() returns the number of bytes written to the buffer, which can
be up to the passed buffer size, without including the terminating '\0'.
This causes an off-by-one overflow as we pass the total buffer length to
the function and then try to append a terminating '\0'.

Fix it by passing the buffer size minus one to readlink().

Reported-by: Coverity Scan
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>

diff --git a/utils/media-ctl/libmediactl.c b/utils/media-ctl/libmediactl.c
index 409acb8..ec360bd 100644 (file)
--- a/utils/media-ctl/libmediactl.c
+++ b/utils/media-ctl/libmediactl.c
@@ -468,7 +468,7 @@ static int media_get_devname_sysfs(struct media_entity *entity)
 
        sprintf(sysname, "/sys/dev/char/%u:%u", entity->info.v4l.major,
                entity->info.v4l.minor);
-       ret = readlink(sysname, target, sizeof(target));
+       ret = readlink(sysname, target, sizeof(target) - 1);
        if (ret < 0)
                return -errno;