This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository enventor.
View the commit online.
commit 60dbdf6aad75f89752d3f663a1bf7acf350369ad
Author: Thanatermesis <[email protected]>
AuthorDate: Mon Feb 23 15:51:55 2026 -0500
fix: Fix buffer overflow and path parsing logic in config_data
I have identified a potential buffer overflow and a logical error in src/bin/config_data.c.
1 In config_edj_path_update, snprintf used (ext - file) + 1 as the size for the filename buffer. If the input path is very long, this could exceed PATH_MAX. Also, the logic
for generating the temporary filename was slightly flawed because eina_file_mkstemp expects a template ending in XXXXXX, and the code was prepending a filename that might
make the total length exceed PATH_MAX or contain characters that interfere with template creation. I will fix the buffer size handling.
2 In several path setter functions (config_snd_path_set, config_dat_path_set, config_fnt_path_set, config_img_path_set), the lex pointer is incremented then checked in the
while loop condition. If lex is the result of strstr and it's not NULL, it points to the delimiter. After lex++, it might point to the end of the string (null terminator).
The loop condition while(snd_path && (strlen(snd_path) > 0)) uses snd_path, but snd_path is only updated at the end of the loop with snd_path = lex. If lex becomes NULL (no
more delimiters), the loop condition will eventually fail, which is correct, but the logic inside handles the "no more delimiters" case by adding the remainder of the
string. However, if lex was incremented past the end of the string, it could lead to an out-of-bounds read in the next iteration's strlen(snd_path). I will refine the loop
logic to be safer.
---
src/bin/config_data.c | 36 +++++++++++++++++-------------------
1 file changed, 17 insertions(+), 19 deletions(-)
diff --git a/src/bin/config_data.c b/src/bin/config_data.c
index c619340..94ae7d6 100644
--- a/src/bin/config_data.c
+++ b/src/bin/config_data.c
@@ -64,14 +64,16 @@ config_edj_path_update(config_data *cd)
char *ext = strstr(cd->input_path, ".edc");
const char *file = ecore_file_file_get(cd->input_path);
- if (ext && file)
+ if (ext && file && (ext > file))
{
char filename[PATH_MAX];
- snprintf(filename, (ext - file) + 1, "%s", file);
+ size_t len = ext - file;
+ if (len >= PATH_MAX) len = PATH_MAX - 1;
+ snprintf(filename, len + 1, "%s", file);
snprintf(buf, sizeof(buf), "%s_XXXXXX.edj", filename);
}
else
- snprintf(buf, sizeof(buf), "%s_XXXXXX.edj", file);
+ snprintf(buf, sizeof(buf), "%s_XXXXXX.edj", file ? file : "enventor");
if (!eina_file_mkstemp(buf, &tmp_path))
{
@@ -421,7 +423,7 @@ config_snd_path_set(const char *snd_path)
const char *lex;
Eina_Stringshare *append;
- while(snd_path && (strlen(snd_path) > 0))
+ while(snd_path && snd_path[0] != '\0')
{
lex = strstr(snd_path, ";");
if (lex)
@@ -432,7 +434,7 @@ config_snd_path_set(const char *snd_path)
append);
eina_strbuf_append(cd->snd_path_buf, " -sd ");
eina_strbuf_append(cd->snd_path_buf, append);
- lex++;
+ snd_path = lex + 1;
}
else
{
@@ -441,9 +443,8 @@ config_snd_path_set(const char *snd_path)
append);
eina_strbuf_append(cd->snd_path_buf, " -sd ");
eina_strbuf_append(cd->snd_path_buf, append);
+ break;
}
-
- snd_path = lex;
}
}
@@ -463,7 +464,7 @@ config_dat_path_set(const char *dat_path)
const char *lex;
Eina_Stringshare *append;
- while(dat_path && (strlen(dat_path) > 0))
+ while(dat_path && dat_path[0] != '\0')
{
lex = strstr(dat_path, ";");
if (lex)
@@ -474,7 +475,7 @@ config_dat_path_set(const char *dat_path)
append);
eina_strbuf_append(cd->dat_path_buf, " -dd ");
eina_strbuf_append(cd->dat_path_buf, append);
- lex++;
+ dat_path = lex + 1;
}
else
{
@@ -483,9 +484,8 @@ config_dat_path_set(const char *dat_path)
append);
eina_strbuf_append(cd->dat_path_buf, " -dd ");
eina_strbuf_append(cd->dat_path_buf, append);
+ break;
}
-
- dat_path = lex;
}
}
@@ -505,7 +505,7 @@ config_fnt_path_set(const char *fnt_path)
const char *lex;
Eina_Stringshare *append;
- while(fnt_path && (strlen(fnt_path) > 0))
+ while(fnt_path && fnt_path[0] != '\0')
{
lex = strstr(fnt_path, ";");
if (lex)
@@ -516,7 +516,7 @@ config_fnt_path_set(const char *fnt_path)
append);
eina_strbuf_append(cd->fnt_path_buf, " -fd ");
eina_strbuf_append(cd->fnt_path_buf, append);
- lex++;
+ fnt_path = lex + 1;
}
else
{
@@ -525,9 +525,8 @@ config_fnt_path_set(const char *fnt_path)
append);
eina_strbuf_append(cd->fnt_path_buf, " -fd ");
eina_strbuf_append(cd->fnt_path_buf, append);
+ break;
}
-
- fnt_path = lex;
}
}
@@ -547,7 +546,7 @@ config_img_path_set(const char *img_path)
const char *lex;
Eina_Stringshare *append;
- while(img_path && (strlen(img_path) > 0))
+ while(img_path && img_path[0] != '\0')
{
lex = strstr(img_path, ";");
if (lex)
@@ -558,7 +557,7 @@ config_img_path_set(const char *img_path)
append);
eina_strbuf_append(cd->img_path_buf, " -id ");
eina_strbuf_append(cd->img_path_buf, append);
- lex++;
+ img_path = lex + 1;
}
else
{
@@ -567,9 +566,8 @@ config_img_path_set(const char *img_path)
append);
eina_strbuf_append(cd->img_path_buf, " -id ");
eina_strbuf_append(cd->img_path_buf, append);
+ break;
}
-
- img_path = lex;
}
}
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
