IOT-2796 prevent sprintf writing past array

tmp is not large enough to hold the two characters
appended to it and the terminating null character.

To make room for the terminating null character the
arrays were increased in size by 1.

Bug: https://jira.iotivity.org/browse/IOT-2796
Change-Id: I53683401a581cef89c8d32088b47d87448140ca2
Signed-off-by: George Nash <george.nash@intel.com>

diff --git a/resource/csdk/security/tool/json2cbor.c b/resource/csdk/security/tool/json2cbor.c
index 229d1b5c55363b500f44aab39b034e1738cc54cf..0ae8f16d9328930fd13bcfe07634a5721f3b4f74 100644 (file)
--- a/resource/csdk/security/tool/json2cbor.c
+++ b/resource/csdk/security/tool/json2cbor.c
@@ -1258,7 +1258,7 @@ OicSecCred_t *JSONToCredBin(const char *jsonStr)
 
                 ret = (jsonObjLen % 2 == 0) ? ret : OC_STACK_ERROR;
 
-                char tmp[2];
+                char tmp[3];
                 char *buf = (char *)OICCalloc(1, jsonObjLen/2);
                 for(size_t i = 0, p = 0 ; i < jsonObjLen; i+=2, ++p)
                 {
@@ -1285,7 +1285,7 @@ OicSecCred_t *JSONToCredBin(const char *jsonStr)
 
                 ret = (jsonObjLen % 2 == 0) ? ret : OC_STACK_ERROR;
 
-                char tmp[2];
+                char tmp[3];
                 char *buf = (char *)OICCalloc(1, jsonObjLen/2);
                 for(size_t i = 0, p = 0 ; i < jsonObjLen; i+=2, ++p)
                 {
@@ -1312,7 +1312,7 @@ OicSecCred_t *JSONToCredBin(const char *jsonStr)
                 jsonObjLen = strlen(jsonOpt->valuestring);
 
                 ret = (jsonObjLen % 2 == 0) ? ret : OC_STACK_ERROR;
-                char tmp[2];
+                char tmp[3];
                 char *buf = (char *)OICCalloc(1, jsonObjLen/2);
                 for(size_t i = 0, p = 0; i < jsonObjLen; i+=2, ++p)
                 {