From 4b9fe1fba2acf1936bf47a885a2ee04c9876fd86 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dirk=20M=C3=BCller?= <dirk@dmllr.de>
Date: Tue, 2 Jun 2026 11:17:31 +0200
Subject: [PATCH] Fix theoretical one-byte buffer overrun
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If 64 (sizeof(buf))= or more characters were provided in the input string,
this unconditionally writes a null byte to `buf[64]`, which is one byte
past the end of the array.

Signed-off-by: Dirk Müller <dirk@dmllr.de>
---
 src/control/ctlparse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/control/ctlparse.c b/src/control/ctlparse.c
index 3bd86435..c40de2bd 100644
--- a/src/control/ctlparse.c
+++ b/src/control/ctlparse.c
@@ -173,7 +173,7 @@ int __snd_ctl_ascii_elem_id_parse(snd_ctl_elem_id_t *dst, const char *str,
 			ptr = buf;
 			size = 0;
 			while (*str && *str != ',') {
-				if (size < (int)sizeof(buf)) {
+				if (size < (int)sizeof(buf) - 1) {
 					*ptr++ = *str;
 					size++;
 				}