From ea2a460cf68b6d16a3b379842e91c0bdf942ca16 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Aleksey=20Kliger=20=28=CE=BBgeek=29?= Date: Fri, 4 Oct 2019 01:17:49 -0400 Subject: [PATCH] =?utf8?q?[merp]=20Don't=20overrun=20buffer=20in=20copy=5F?= =?utf8?q?summary=5Fstring=5Fsafe=20=E2=80=A6=20(#17176)?= MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit * [merp] Don't overrun buffer in copy_summary_string_safe MonoFrameSummary:str_destr is an array of MONO_MAX_SUMMARY_NAME_LEN bytes, not MONO_MAX_SUMMARY_NAME_LEN + 1 bytes. Fixes Coverity CID 1454563 * [merp] Use g_strlcpy for copy_summary_string_safe Fixes Coverity CID 1454563 We would sometimes write to MonoSummaryFrame:str_descr which is MONO_MAX_SUMMARY_NAME_LEN bytes long at index MONO_MAX_SUMMARY_NAME_LEN which is one past the end of the array. * nit: rename confusing parameter names old names were confusing - we were copying from 'out' to 'in'. Now we copy to 'dest' from 'src' --- mono/mini/mini-exceptions.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/mono/mini/mini-exceptions.c b/mono/mini/mini-exceptions.c index 4a2c7574ddf..6c4c7683467 100644 --- a/mono/mini/mini-exceptions.c +++ b/mono/mini/mini-exceptions.c @@ -1422,17 +1422,9 @@ typedef struct { } MonoSummarizeUserData; static void -copy_summary_string_safe (char *in, const char *out) +copy_summary_string_safe (char *dest, const char *src) { - for (int i=0; i < MONO_MAX_SUMMARY_NAME_LEN; i++) { - in [i] = out [i]; - if (out [i] == '\0') - return; - } - - // Overflowed - in [MONO_MAX_SUMMARY_NAME_LEN] = '\0'; - return; + g_strlcpy (dest, src, MONO_MAX_SUMMARY_NAME_LEN); } static void -- 2.11.4.GIT