fix for buffer overflow in rrd_restore.c #669

diff --git a/CHANGES b/CHANGES
index a83d56d5a4db77b0dbedff7ee0a128c82dfa6a2c..7f53f649d748cef2a2a9154e8700deb80c0c2aad 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -5,7 +5,7 @@ Bugfixes
 --------
 * shorten test precision to 7 digits ... 
 * never exit from a library function
-
+* buffer overflow in rrd_restore.c fixed #669
 
 RRDtool 1.5.4 - 2015-08-09
 ==========================

diff --git a/src/rrd_restore.c b/src/rrd_restore.c
index 27365a7cfe18d69885c971fbd054f4c649c337a0..7292dff06b9801c40f72f56a2636a646c70137d8 100644 (file)
--- a/src/rrd_restore.c
+++ b/src/rrd_restore.c
@@ -545,7 +545,7 @@ static int parse_tag_rra_cdp_prep_ds_history(
     int       i;
     if ((history = get_xml_text(reader)) != NULL){
         history_ptr = (char *) (&cdp_prep->scratch[0]);
-        for (i = 0; history[i] != '\0'; i++)
+        for (i = 0; history[i] != '\0' && i < MAX_CDP_PAR_EN; i++)
             history_ptr[i] = (history[i] == '1') ? 1 : 0;
         xmlFree(history);        
         return 0;