GNU bug report logs - #11372
[PATCH] avoid buffer overrun: NUL-terminate after strncpy

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 11372 in the body.
You can then email your comments to 11372 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: bug-emacs <at> gnu.org
Subject: [PATCH] avoid buffer overrun: NUL-terminate after strncpy
Date: Sat, 28 Apr 2012 23:56:45 +0200

strncpy is often misused.
I would argue that nearly any use constitutes misuse.

Here are a few fixes:

2012-04-28  Jim Meyering  <meyering <at> redhat.com>

	avoid buffer overrun: NUL-terminate after strncpy
	* lib-src/pop.c (pop_stat, pop_list, pop_multi_first, pop_last):
	NUL-terminate the error buffer.
	* src/w32font.c (fill_in_logfont): NUL-terminate logfont face name.

---
 lib-src/pop.c |    8 +++++++-
 src/w32font.c |    7 +++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib-src/pop.c b/lib-src/pop.c
index 37494d1..c4c7f2b 100644
--- a/lib-src/pop.c
+++ b/lib-src/pop.c
@@ -346,6 +346,7 @@ pop_stat (popserver server, int *count, int *size)
       if (0 == strncmp (fromserver, "-ERR", 4))
 	{
 	  strncpy (pop_error, fromserver, ERROR_MAX);
+	  pop_error[ERROR_MAX-1] = '\0';
 	}
       else
 	{
@@ -447,7 +448,10 @@ pop_list (popserver server, int message, int **IDs, int **sizes)
       if (strncmp (fromserver, "+OK ", 4))
 	{
 	  if (! strncmp (fromserver, "-ERR", 4))
-	    strncpy (pop_error, fromserver, ERROR_MAX);
+	    {
+	      strncpy (pop_error, fromserver, ERROR_MAX);
+	      pop_error[ERROR_MAX-1] = '\0';
+	    }
 	  else
 	    {
 	      strcpy (pop_error,
@@ -687,6 +691,7 @@ pop_multi_first (popserver server, const char *command, char **response)
   if (0 == strncmp (*response, "-ERR", 4))
     {
       strncpy (pop_error, *response, ERROR_MAX);
+      pop_error[ERROR_MAX-1] = '\0';
       return (-1);
     }
   else if (0 == strncmp (*response, "+OK", 3))
@@ -860,6 +865,7 @@ pop_last (popserver server)
   if (! strncmp (fromserver, "-ERR", 4))
     {
       strncpy (pop_error, fromserver, ERROR_MAX);
+      pop_error[ERROR_MAX-1] = '\0';
       return (-1);
     }
   else if (strncmp (fromserver, "+OK ", 4))
diff --git a/src/w32font.c b/src/w32font.c
index dab9f4c..8badace 100644
--- a/src/w32font.c
+++ b/src/w32font.c
@@ -2045,8 +2045,11 @@ fill_in_logfont (FRAME_PTR f, LOGFONT *logfont, Lisp_Object font_spec)
         /* Font families are interned, but allow for strings also in case of
            user input.  */
       else if (SYMBOLP (tmp))
-        strncpy (logfont->lfFaceName,
-		 SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE);
+	{
+	  strncpy (logfont->lfFaceName,
+		   SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE);
+	  logfont->lfFaceName[LF_FACESIZE-1] = '\0';
+	}
     }

   tmp = AREF (font_spec, FONT_ADSTYLE_INDEX);
--
1.7.10.382.g62bc8

Message #8 received at 11372 <at> debbugs.gnu.org (full text, mbox):

From: Chong Yidong <cyd <at> gnu.org>
To: Jim Meyering <jim <at> meyering.net>
Cc: 11372 <at> debbugs.gnu.org
Subject: Re: bug#11372: [PATCH] avoid buffer overrun: NUL-terminate after
	strncpy
Date: Wed, 02 May 2012 18:10:56 +0800

Jim Meyering <jim <at> meyering.net> writes:

> strncpy is often misused.
> I would argue that nearly any use constitutes misuse.
>
> Here are a few fixes:

Thanks, committed to the emacs-24 branch.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.