[PATCH 08/32] [libx11] Possible overrun of 8192 byte fixed size buffer "buffer" by copying "ext->name" without length checking
Erkki Seppälä
erkki.seppala at vincit.fi
Wed Jan 26 23:53:51 PST 2011
Fixed by using strncpy and explicitly terminating the buffer
Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>
Signed-off-by: Erkki Seppälä <erkki.seppala at vincit.fi>
---
src/XlibInt.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/XlibInt.c b/src/XlibInt.c
index c385f4c..9f2745e 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1438,9 +1438,10 @@ static int _XPrintDefaultError(
ext && (ext->codes.major_opcode != event->request_code);
ext = ext->next)
;
- if (ext)
- strcpy(buffer, ext->name);
- else
+ if (ext) {
+ strncpy(buffer, ext->name, BUFSIZ);
+ buffer[BUFSIZ - 1] = '\0';
+ } else
buffer[0] = '\0';
}
(void) fprintf(fp, " (%s)\n", buffer);
--
1.7.0.4
More information about the xorg-devel
mailing list