From 9ad278ddf8c67f89574947b5f87c4e8ff5d047c5 Mon Sep 17 00:00:00 2001 From: Christophe CURIS Date: Wed, 18 Jul 2012 00:02:22 +0200 Subject: [PATCH] Menu parser: added boundary checks in the path-gen for #include file search When generating the full path+name of file to search for a file being #included, it was generated in a buffer that's supposedly large enough (MAXLINE > 2*PATH_MAX). However, this limit has a few issues (PATH_MAX seem to be able to be bigger, and worse: we can't be sure we're given longer args). The code was rewrote to natively include boundary checks so we're sure we won't overflow the buffer. A few strncpy have been removed because in this case they tend to make things harder to write. --- WINGs/menuparser.c | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) diff --git a/WINGs/menuparser.c b/WINGs/menuparser.c index b196a006..881c4e80 100644 --- a/WINGs/menuparser.c +++ b/WINGs/menuparser.c @@ -474,22 +474,31 @@ static Bool menu_parser_include_file(WMenuParser parser) if (fh == NULL) { if (req_filename[0] != '/') { const char *src; + int idx; fullfilename = buffer; src = parser->include_default_paths; while (*src != '\0') { - p = buffer; + idx = 0; if (*src == '~') { char *home = wgethomedir(); - while (*home != '\0') - *p++ = *home++; + while (*home != '\0') { + if (idx < sizeof(buffer) - 2) + buffer[idx++] = *home; + home++; + } + src++; + } + while ((*src != '\0') && (*src != ':')) { + if (idx < sizeof(buffer) - 2) + buffer[idx++] = *src; src++; } - while ((*src != '\0') && (*src != ':')) - *p++ = *src++; - *p++ = '/'; - strncpy(p, req_filename, sizeof(buffer) - (p - buffer - 1)); - buffer[sizeof(buffer) - 1] = '\0'; + buffer[idx++] = '/'; + for (p = req_filename; *p != '\0'; p++) + if (idx < sizeof(buffer) - 1) + buffer[idx++] = *p; + buffer[idx] = '\0'; fh = fopen(fullfilename, "rb"); if (fh != NULL) goto found_valid_file; -- 2.11.4.GIT