options: fix buffer overrun

[fio.git] / options.c

diff --git a/options.c b/options.c
index 5dd31d2387e7dd18e4b482da52c84b386dfbee3c..955bf959e49c3ff2a8c1c9912786f45b833b346c 100644 (file)
--- a/options.c
+++ b/options.c
@@ -1672,6 +1672,7 @@ struct fio_option fio_options[FIO_MAX_OPTS] = {
                .lname  = "Filename(s)",
                .type   = FIO_OPT_STR_STORE,
                .off1   = offsetof(struct thread_options, filename),
+               .maxlen = PATH_MAX,
                .cb     = str_filename_cb,
                .prio   = -1, /* must come after "directory" */
                .help   = "File(s) to use for the workload",
@@ -5099,7 +5100,7 @@ static char *fio_keyword_replace(char *opt)
                struct fio_keyword *kw = &fio_keywords[i];
 
                while ((s = strstr(opt, kw->word)) != NULL) {
-                       char *new = malloc(strlen(opt) + 1);
+                       char *new = calloc(strlen(opt) + 1, 1);
                        char *o_org = opt;
                        int olen = s - opt;
                        int len;
@@ -5115,9 +5116,10 @@ static char *fio_keyword_replace(char *opt)
                         * If there's more in the original string, copy that
                         * in too
                         */
-                       opt += strlen(kw->word) + olen;
+                       opt += olen + strlen(kw->word);
+                       /* keeps final zero thanks to calloc */
                        if (strlen(opt))
-                               memcpy(new + olen + len, opt, opt - o_org - 1);
+                               memcpy(new + olen + len, opt, strlen(opt));
 
                        /*
                         * replace opt and free the old opt