GNU bug report logs -
#11372
[PATCH] avoid buffer overrun: NUL-terminate after strncpy
Previous Next
Reported by: Jim Meyering <jim <at> meyering.net>
Date: Sat, 28 Apr 2012 21:59:01 UTC
Severity: normal
Tags: patch
Done: Chong Yidong <cyd <at> gnu.org>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 11372 in the body.
You can then email your comments to 11372 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#11372
; Package
emacs
.
(Sat, 28 Apr 2012 21:59:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Jim Meyering <jim <at> meyering.net>
:
New bug report received and forwarded. Copy sent to
bug-gnu-emacs <at> gnu.org
.
(Sat, 28 Apr 2012 21:59:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
strncpy is often misused.
I would argue that nearly any use constitutes misuse.
Here are a few fixes:
2012-04-28 Jim Meyering <meyering <at> redhat.com>
avoid buffer overrun: NUL-terminate after strncpy
* lib-src/pop.c (pop_stat, pop_list, pop_multi_first, pop_last):
NUL-terminate the error buffer.
* src/w32font.c (fill_in_logfont): NUL-terminate logfont face name.
---
lib-src/pop.c | 8 +++++++-
src/w32font.c | 7 +++++--
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/lib-src/pop.c b/lib-src/pop.c
index 37494d1..c4c7f2b 100644
--- a/lib-src/pop.c
+++ b/lib-src/pop.c
@@ -346,6 +346,7 @@ pop_stat (popserver server, int *count, int *size)
if (0 == strncmp (fromserver, "-ERR", 4))
{
strncpy (pop_error, fromserver, ERROR_MAX);
+ pop_error[ERROR_MAX-1] = '\0';
}
else
{
@@ -447,7 +448,10 @@ pop_list (popserver server, int message, int **IDs, int **sizes)
if (strncmp (fromserver, "+OK ", 4))
{
if (! strncmp (fromserver, "-ERR", 4))
- strncpy (pop_error, fromserver, ERROR_MAX);
+ {
+ strncpy (pop_error, fromserver, ERROR_MAX);
+ pop_error[ERROR_MAX-1] = '\0';
+ }
else
{
strcpy (pop_error,
@@ -687,6 +691,7 @@ pop_multi_first (popserver server, const char *command, char **response)
if (0 == strncmp (*response, "-ERR", 4))
{
strncpy (pop_error, *response, ERROR_MAX);
+ pop_error[ERROR_MAX-1] = '\0';
return (-1);
}
else if (0 == strncmp (*response, "+OK", 3))
@@ -860,6 +865,7 @@ pop_last (popserver server)
if (! strncmp (fromserver, "-ERR", 4))
{
strncpy (pop_error, fromserver, ERROR_MAX);
+ pop_error[ERROR_MAX-1] = '\0';
return (-1);
}
else if (strncmp (fromserver, "+OK ", 4))
diff --git a/src/w32font.c b/src/w32font.c
index dab9f4c..8badace 100644
--- a/src/w32font.c
+++ b/src/w32font.c
@@ -2045,8 +2045,11 @@ fill_in_logfont (FRAME_PTR f, LOGFONT *logfont, Lisp_Object font_spec)
/* Font families are interned, but allow for strings also in case of
user input. */
else if (SYMBOLP (tmp))
- strncpy (logfont->lfFaceName,
- SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE);
+ {
+ strncpy (logfont->lfFaceName,
+ SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE);
+ logfont->lfFaceName[LF_FACESIZE-1] = '\0';
+ }
}
tmp = AREF (font_spec, FONT_ADSTYLE_INDEX);
--
1.7.10.382.g62bc8
Information forwarded
to
bug-gnu-emacs <at> gnu.org
:
bug#11372
; Package
emacs
.
(Wed, 02 May 2012 10:13:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 11372 <at> debbugs.gnu.org (full text, mbox):
Jim Meyering <jim <at> meyering.net> writes:
> strncpy is often misused.
> I would argue that nearly any use constitutes misuse.
>
> Here are a few fixes:
Thanks, committed to the emacs-24 branch.
bug closed, send any further explanations to
11372 <at> debbugs.gnu.org and Jim Meyering <jim <at> meyering.net>
Request was from
Chong Yidong <cyd <at> gnu.org>
to
control <at> debbugs.gnu.org
.
(Wed, 02 May 2012 10:14:02 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Wed, 30 May 2012 11:24:03 GMT)
Full text and
rfc822 format available.
This bug report was last modified 11 years and 332 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.