Menu parser: added boundary checks in the path-gen for #include file search
authorChristophe CURIS <christophe.curis@free.fr>
Tue, 17 Jul 2012 22:02:22 +0000 (18 00:02 +0200)
committerCarlos R. Mafra <crmafra@gmail.com>
Thu, 19 Jul 2012 10:23:29 +0000 (19 11:23 +0100)
When generating the full path+name of file to search for a file
being #included, it was generated in a buffer that's supposedly
large enough (MAXLINE > 2*PATH_MAX). However, this limit has a few
issues (PATH_MAX seem to be able to be bigger, and worse: we can't
be sure we're given longer args).

The code was rewrote to natively include boundary checks so we're
sure we won't overflow the buffer. A few strncpy have been removed
because in this case they tend to make things harder to write.

WINGs/menuparser.c

index b196a00..881c4e8 100644 (file)
@@ -474,22 +474,31 @@ static Bool menu_parser_include_file(WMenuParser parser)
        if (fh == NULL) {
                if (req_filename[0] != '/') {
                        const char *src;
+                       int idx;
 
                        fullfilename = buffer;
                        src = parser->include_default_paths;
                        while (*src != '\0') {
-                               p = buffer;
+                               idx = 0;
                                if (*src == '~') {
                                        char *home = wgethomedir();
-                                       while (*home != '\0')
-                                               *p++ = *home++;
+                                       while (*home != '\0') {
+                                               if (idx < sizeof(buffer) - 2)
+                                                       buffer[idx++] = *home;
+                                               home++;
+                                       }
+                                       src++;
+                               }
+                               while ((*src != '\0') && (*src != ':')) {
+                                       if (idx < sizeof(buffer) - 2)
+                                               buffer[idx++] = *src;
                                        src++;
                                }
-                               while ((*src != '\0') && (*src != ':'))
-                                       *p++ = *src++;
-                               *p++ = '/';
-                               strncpy(p, req_filename, sizeof(buffer) - (p - buffer - 1));
-                               buffer[sizeof(buffer) - 1] = '\0';
+                               buffer[idx++] = '/';
+                               for (p = req_filename; *p != '\0'; p++)
+                                       if (idx < sizeof(buffer) - 1)
+                                               buffer[idx++] = *p;
+                               buffer[idx] = '\0';
 
                                fh = fopen(fullfilename, "rb");
                                if (fh != NULL) goto found_valid_file;