[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [PATCH 1/2] Fix overread by 1 byte in pk_cmd_get_next_match()
From: |
Jose E. Marchesi |
Subject: |
Re: [PATCH 1/2] Fix overread by 1 byte in pk_cmd_get_next_match() |
Date: |
Fri, 13 Dec 2019 01:22:06 +0100 |
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) |
Hi Dan.
From: Dan Čermák <address@hidden>
The name string was generated with the wrong length: strlen() returns the
length
of (*c)->name _excluding_ \0, but we must allocated enough bytes for
'.' + strlen((*c)->name) + '\0' => strlen((*c)->name) + 2.
Furthermore, since we only need to copy a single character into name, we
just
write the char directly instead of invoking strcpy and then use strncpy
instead
of the notoriously unsafe strcat.
Installed.
Thanks!
---
src/pk-cmd.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/pk-cmd.c b/src/pk-cmd.c
index 7d703b1..abc2115 100644
--- a/src/pk-cmd.c
+++ b/src/pk-cmd.c
@@ -787,9 +787,11 @@ pk_cmd_get_next_match (int *idx, const char *x, size_t
len)
if (*c == &null_cmd)
break;
- char *name = xmalloc (strlen ((*c)->name) + 1);
- strcpy (name, ".");
- strcat (name, (*c)->name);
+ /* don't forget the null terminator of name */
+ const size_t name_len = strlen ((*c)->name);
+ char *name = xmalloc (name_len + 2);
+ name[0] = '.';
+ strncpy (name+1, (*c)->name, name_len + 1);
if (0 != strncmp (name, x, len))
{
free (name);