commit fb910e8ffa439bc32234cfbf85c36f1f8c3a9c59
author James Dong <jdong@google.com> Tue May 29 18:21:38 2012 -0700
committer Android (Google) Code Review <android-gerrit@google.com> Tue May 29 18:21:38 2012 -0700
tree bf1b71d2086b05aa93c8444156824cc1467326e1
parent 01bf82f27297536399f7dcde214d1a082e3613ef
parent 54c40e033e487b96ff3356d29ab02cc1304f4117

Merge "Fixed a buffer overflow issue" into jb-dev

media/jni/mediaeditor/VideoEditorMain.cpp

diff --git a/media/jni/mediaeditor/VideoEditorMain.cpp b/media/jni/mediaeditor/VideoEditorMain.cpp
index b0c1c35..41ec120 100755
--- a/media/jni/mediaeditor/VideoEditorMain.cpp
+++ b/media/jni/mediaeditor/VideoEditorMain.cpp
@@ -2623,16 +2623,21 @@
             M4OSA_Char* tmpString =
                 (M4OSA_Char *)videoEditJava_getString(&initialized, pEnv, tempPath,
                 NULL, M4OSA_NULL);
+            M4OSA_UInt32 length = strlen((const char *)tmpString);
+            // Malloc additional 2 bytes for beginning and tail separator.
+            M4OSA_UInt32 pathLength = length + 2;
+
             pContext->initParams.pTempPath = (M4OSA_Char *)
-                 M4OSA_32bitAlignedMalloc(strlen((const char *)tmpString) + 1, 0x0,
-                                                 (M4OSA_Char *)"tempPath");
+                 M4OSA_32bitAlignedMalloc(pathLength, 0x0, (M4OSA_Char *)"tempPath");
+
             //initialize the first char. so that strcat works.
             M4OSA_Char *ptmpChar = (M4OSA_Char*)pContext->initParams.pTempPath;
             ptmpChar[0] = 0x00;
             strncat((char *)pContext->initParams.pTempPath, (const char *)tmpString,
-                (size_t)strlen((const char *)tmpString));
+                length);
             strncat((char *)pContext->initParams.pTempPath, (const char *)"/", (size_t)1);
             free(tmpString);
+            tmpString = NULL;
             pContext->mIsUpdateOverlay = false;
             pContext->mOverlayFileName = NULL;
             pContext->decoders = NULL;