[PATCH:xsm] Add size limit to scanf string specifier
Jeremy Huddleston
jeremyhu at apple.com
Tue Nov 29 23:27:58 PST 2011
Reviewed-by: Jeremy Huddleston <jeremyhu at apple.com>
<lazy>Can this be exploited?</lazy>
On Nov 28, 2011, at 6:56 PM, Alan Coopersmith wrote:
> While it's tempting to just switch to fgets(), that would require
> implementing our own whitespace stripping to match the current
> scanf behavior.
>
> Fixes parfait static analysis warning:
> Error: Buffer overrun
> Buffer overflow (CWE 120): Use of fscanf(%s), with buffer 'buf'
> at line 135 of app/xsm/lock.c in function 'GetLockId'.
>
> [ This bug was found by the Parfait 0.3.7 bug checking tool.
> For more information see http://labs.oracle.com/projects/parfait/ ]
>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
> lock.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/lock.c b/lock.c
> index 9a4553a..d51d09e 100644
> --- a/lock.c
> +++ b/lock.c
> @@ -132,7 +132,7 @@ GetLockId(const char *session_name)
> }
>
> buf[0] = '\0';
> - fscanf (fp, "%s\n", buf);
> + fscanf (fp, "%255s\n", buf);
> ret = XtNewString (buf);
>
> fclose (fp);
> --
> 1.7.3.2
>
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: http://lists.x.org/mailman/listinfo/xorg-devel
>
More information about the xorg-devel
mailing list