9564 cw: possible buffer overflow in cw

Reviewed by: Yuri Pankov <yuripv@yuripv.net>
Reviewed by: Andy Fiddaman <omnios@citrus-it.co.uk>
Approved by: Robert Mustacchi <rm@joyent.com>

1 files changed, 3 insertions, 5 deletions

diff --git a/usr/src/tools/cw/cw.c b/usr/src/tools/cw/cw.c
index 3bc250dc0c..40613c11b5 100644
--- a/usr/src/tools/cw/cw.c
+++ b/usr/src/tools/cw/cw.c
@@ -1297,16 +1297,13 @@ do_gcc(cw_ictx_t *ctx)
 			case 'O':
 				if (strncmp(arg, "-xO", 3) == 0) {
 					size_t len = strlen(arg);
-					char *s;
+					char *s = NULL;
 					int c = *(arg + 3);
 					int level;
 
 					if (len != 4 || !isdigit(c))
 						error(arg);
 
-					if ((s = malloc(len)) == NULL)
-						nomem();
-
 					level = atoi(arg + 3);
 					if (level > 5)
 						error(arg);
@@ -1322,7 +1319,8 @@ do_gcc(cw_ictx_t *ctx)
 						 */
 						level = 2;
 					}
-					(void) snprintf(s, len, "-O%d", level);
+					if (asprintf(&s, "-O%d", level) == -1)
+						nomem();
 					newae(ctx->i_ae, s);
 					free(s);
 					break;