Fix possible buffer overrun due to incorrect strncat length argument

[rrdd] / rrdtool.c

diff --git a/rrdtool.c b/rrdtool.c
index da876d51da7620d8051ca6f0320790c71f5e687f..c92dee186c56c9a28951d10aa089ab47f0816419 100644 (file)
--- a/rrdtool.c
+++ b/rrdtool.c
@@ -47,8 +47,8 @@ int rrdtool_draw_image(struct rrd_image *image)
        pr_info("Drawing image %s\n", image->image_filename);
 
        tmpfile[0] = 0;
-       strncat(tmpfile, image->image_filename, sizeof(tmp) - 1);
-       strncat(tmpfile, ".tmp", sizeof(tmp) - 1);
+       strncat(tmpfile, image->image_filename, sizeof(tmp) - strlen(tmp) - 1);
+       strncat(tmpfile, ".tmp", sizeof(tmp) - strlen(tmp) - 1);
 
        if (image->updatestr)
                updatestr = image->updatestr;