On 01/31/11 04:01 AM, Erkki Seppälä wrote: > Possible overrun of 8192 byte fixed size buffer "buffer" by copying > "ext->name" without length checking > > Reviewed-by: Ander Conselvan de Oliveira > <[email protected]> > Signed-off-by: Erkki Seppälä <[email protected]> > --- > src/XlibInt.c | 7 ++++--- > 1 files changed, 4 insertions(+), 3 deletions(-) > > diff --git a/src/XlibInt.c b/src/XlibInt.c > index d55c26a..52ccff1 100644 > --- a/src/XlibInt.c > +++ b/src/XlibInt.c > @@ -1438,9 +1438,10 @@ static int _XPrintDefaultError( > ext && (ext->codes.major_opcode != event->request_code); > ext = ext->next) > ; > - if (ext) > - strcpy(buffer, ext->name); > - else > + if (ext) { > + strncpy(buffer, ext->name, BUFSIZ); > + buffer[BUFSIZ - 1] = '\0'; > + } else > buffer[0] = '\0'; > } > (void) fprintf(fp, " (%s)\n", buffer);
If we ever have an extension with a name > 8192 characters, someone needs to be hurt. Unfortunately, static analysis tools can't assume we have common sense (X clearly being full of counter examples), and the error printing code is never going to be a performance bottleneck, so may as well fix to reduce the noise: Reviewed-by: Alan Coopersmith <[email protected]> -- -Alan Coopersmith- [email protected] Oracle Solaris Platform Engineering: X Window System _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
