Index: hostfs.c =================================================================== --- hostfs.c (revision 124) +++ hostfs.c (working copy) @@ -223,14 +224,41 @@ strcpy(new_path, old_path); - /* Calculate where to place new comma suffix */ + /* Default: new suffix appended onto existing path */ + new_suffix = new_path + strlen(new_path); + + /* Check for existing comma suffix (and ensure that subsequent + * characters are valid hex digits) */ comma = strrchr(new_path, ','); if (comma) { - /* New suffix overwrites existing comma suffix */ - new_suffix = comma; - } else { - /* New suffix appended onto existing path */ - new_suffix = new_path + strlen(new_path); + const char *dash = strrchr(comma + 1, '-'); + + if (dash) { + /* Potential load + exec address */ + /* Check the lengths of the portions before and after the dash */ + if ((dash - comma - 1) >= 1 && (dash - comma - 1) <= 8 && + new_suffix - dash - 1 >= 1 && new_suffix - dash - 1 <= 8) + { + /* Check there is no whitespace present, as sscanf() silently + ignores it */ + const char *whitespace = strpbrk(comma + 1, " \f\n\r\t\v"); + + if (!whitespace) { + unsigned int load, exec; + + if (sscanf(comma + 1, "%8x-%8x", &load, &exec) == 2) { + new_suffix = comma; + } + } + } + + } else { + /* ",xxx" */ + if (new_suffix - comma == 4 && isxdigit(comma[1]) && + isxdigit(comma[2]) && isxdigit(comma[3])) { + new_suffix = comma; + } + } } if ((load & 0xfff00000u) == 0xfff00000u) {