[PATCH v2 05/25] [libx11] Fixed by using strncpy and explicitly terminating the buffer
Erkki Seppälä
erkki.seppala at vincit.fi
Mon Jan 31 04:01:57 PST 2011
Possible overrun of 8192 byte fixed size buffer "buffer" by copying "ext->name" without length checking
Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira at nokia.com>
Signed-off-by: Erkki Seppälä <erkki.seppala at vincit.fi>
---
src/XlibInt.c | 7 ++++---
1 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/XlibInt.c b/src/XlibInt.c
index d55c26a..52ccff1 100644
--- a/src/XlibInt.c
+++ b/src/XlibInt.c
@@ -1438,9 +1438,10 @@ static int _XPrintDefaultError(
ext && (ext->codes.major_opcode != event->request_code);
ext = ext->next)
;
- if (ext)
- strcpy(buffer, ext->name);
- else
+ if (ext) {
+ strncpy(buffer, ext->name, BUFSIZ);
+ buffer[BUFSIZ - 1] = '\0';
+ } else
buffer[0] = '\0';
}
(void) fprintf(fp, " (%s)\n", buffer);
--
1.7.0.4
More information about the xorg-devel
mailing list