diff options
| author | Jim Meyering <jim@meyering.net> | 2012-10-23 16:10:21 +0200 |
|---|---|---|
| committer | Jim Meyering <jim@meyering.net> | 2012-10-23 16:13:40 +0200 |
| commit | 36a93b370040444d6d2240100404490064b6fa00 (patch) | |
| tree | 32ff82b393ebbe6fb3d64de0c94ecdef89abe86b /src/lid.c | |
| parent | b7ac27d5fe9ef7751b79812dc0095a59bddbfd4d (diff) | |
| download | idutils-36a93b370040444d6d2240100404490064b6fa00.tar.gz idutils-36a93b370040444d6d2240100404490064b6fa00.tar.bz2 idutils-36a93b370040444d6d2240100404490064b6fa00.zip | |
lid: avoid reading beyond end of buffer for a long name
* libidu/idfile.h (stzncpy): Define, from coreutils.
* src/lid.c (query_ambiguous_prefix): Avoid buffer overrun.
Using strncpy to copy a too-long name would result in a "name"
that is not NUL-terminated, yet that name would be treated as
a NUL-terminated string immediately afterwards, via report_func,
which attempts to print it.
* libidu/fnprint.c (root_name): Use stzncpy in place of strncpy.
* NEWS (Bug fixes): Mention the bug fix.
Diffstat (limited to 'src/lid.c')
| -rw-r--r-- | src/lid.c | 4 |
1 files changed, 2 insertions, 2 deletions
@@ -1042,7 +1042,7 @@ query_ambiguous_prefix (unsigned int limit, report_func_t report_func) { if (consecutive && key_style != ks_token) { - strncpy (&name[1], old, limit); + stzncpy (&name[1], old, limit - 2); (*report_func) (name, bits_to_flinkv (bits_vec)); } consecutive = 0; @@ -1064,7 +1064,7 @@ query_ambiguous_prefix (unsigned int limit, report_func_t report_func) } if (consecutive && key_style != ks_token) { - strncpy (&name[1], new, limit); + stzncpy (&name[1], new, limit - 2); (*report_func) (name, bits_to_flinkv (bits_vec)); } return count; |