[PATCH 05/25] [libx11] Possible overrun of 8192 byte fixed size buffer "buffer" by copying "ext->name" without length checking

Erkki Seppälä erkki.seppala at vincit.fi
Mon Jan 31 03:07:12 PST 2011


Fixed by using strncpy and explicitly terminating the buffer

Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>
Signed-off-by: Erkki Seppälä <erkki.seppala at vincit.fi>
---
 src/XlibInt.c |    7 ++++---
 1 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/XlibInt.c b/src/XlibInt.c
index d55c26a..52ccff1 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1438,9 +1438,10 @@ static int _XPrintDefaultError(
 	     ext && (ext->codes.major_opcode != event->request_code);
 	     ext = ext->next)
 	  ;
-	if (ext)
-	    strcpy(buffer, ext->name);
-	else
+	if (ext) {
+	    strncpy(buffer, ext->name, BUFSIZ);
+	    buffer[BUFSIZ - 1] = '\0';
+        } else
 	    buffer[0] = '\0';
     }
     (void) fprintf(fp, " (%s)\n", buffer);
-- 
1.7.0.4



More information about the xorg-devel mailing list