Patch from Frederic Bouvier:

arrays of insufficient size are allocated in prop_picker.cxx ( size()
don't count the null char ) and strcpy is writing outside the allocated
array. A patch follow.

diff --git a/src/GUI/prop_picker.cxx b/src/GUI/prop_picker.cxx
index aed464a4d348a3a40000b04e3f7dc76a23d190bc..445128d34e9d63518d96d53fcb25c93ff6b88eb8 100755 (executable)
--- a/src/GUI/prop_picker.cxx
+++ b/src/GUI/prop_picker.cxx
@@ -445,11 +445,11 @@ void fgPropPicker::find_props ()
     files = new char* [ num_files+1 ] ;
 
     stdString line = ".";
-    files [ 0 ] = new char[line.size()];
+    files [ 0 ] = new char[line.size() + 1];
     strcpy ( files [ 0 ], line.c_str() );
 
     line = "..";
-    files [ 1 ] = new char[line.size()];
+    files [ 1 ] = new char[line.size() + 1];
     strcpy ( files [ 1 ], line.c_str() );
 
     pi = 2;