aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLukas Fleischer <calcurse@cryptocrack.de>2012-02-18 15:40:01 +0100
committerLukas Fleischer <calcurse@cryptocrack.de>2012-02-18 16:00:18 +0100
commitc17b535a33f9388e7eb183c3e1a0971259f4a5e6 (patch)
tree130e17a2b5abd48fd478f30ccf096e00ce5e6dfc
parent9a8ea7ff91486b53511d49a1b1bb44d48a549018 (diff)
downloadcalcurse-c17b535a33f9388e7eb183c3e1a0971259f4a5e6.tar.gz
calcurse-c17b535a33f9388e7eb183c3e1a0971259f4a5e6.zip
Fix up strncat() usage
The last argument to strncat() should not be the total buffer length; it should be the space remaining: The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1. The initial byte of s2 overwrites the null byte at the end of s1. A terminating null byte is always appended to the result. This patch fixes a couple of potential buffer overflow vulnerabilities. Signed-off-by: Lukas Fleischer <calcurse@cryptocrack.de>
-rw-r--r--src/config.c4
-rw-r--r--src/ical.c3
-rw-r--r--src/keys.c4
-rw-r--r--src/note.c4
4 files changed, 7 insertions, 8 deletions
diff --git a/src/config.c b/src/config.c
index 9bdb201..e965c1a 100644
--- a/src/config.c
+++ b/src/config.c
@@ -562,10 +562,10 @@ config_save (void)
int i;
strncpy (tmppath, get_tempdir (), BUFSIZ);
- strncat (tmppath, "/" CONF_PATH_NAME ".", BUFSIZ);
+ strncat (tmppath, "/" CONF_PATH_NAME ".", BUFSIZ - strlen (tmppath) - 1);
if ((tmpext = new_tempfile (tmppath, TMPEXTSIZ)) == NULL)
return 0;
- strncat (tmppath, tmpext, BUFSIZ);
+ strncat (tmppath, tmpext, BUFSIZ - strlen (tmppath) - 1);
mem_free (tmpext);
status.fp = fopen (tmppath, "w");
diff --git a/src/ical.c b/src/ical.c
index 4360a76..ac158fc 100644
--- a/src/ical.c
+++ b/src/ical.c
@@ -447,8 +447,7 @@ ical_readline (FILE *fdi, char *buf, char *lstore, unsigned *ln)
*eol = '\0';
if (*lstore != SPACE && *lstore != TAB)
break;
- strncat (buf, lstore + 1, BUFSIZ);
- buf[BUFSIZ - 1] = '\0';
+ strncat (buf, lstore + 1, BUFSIZ - strlen (buf) - 1);
(*ln)++;
}
diff --git a/src/keys.c b/src/keys.c
index 005595d..dc0d95f 100644
--- a/src/keys.c
+++ b/src/keys.c
@@ -436,7 +436,7 @@ keys_format_label (char *key, int keylen)
{
static char fmtkey[BUFSIZ];
const int len = strlen (key);
- char *dot = ".";
+ const char dot = '.';
int i;
if (keylen > BUFSIZ)
@@ -455,7 +455,7 @@ keys_format_label (char *key, int keylen)
{
for (i = 0; i < keylen - 1; i++)
fmtkey[i] = key[i];
- strncat (fmtkey, dot, strlen (dot));
+ fmtkey[keylen - 1] = dot;
}
return fmtkey;
}
diff --git a/src/note.c b/src/note.c
index 2686dd7..1891a5f 100644
--- a/src/note.c
+++ b/src/note.c
@@ -76,10 +76,10 @@ edit_note (char **note, char *editor)
FILE *fp;
strncpy (tmppath, get_tempdir (), BUFSIZ);
- strncat (tmppath, "/calcurse-note.", BUFSIZ);
+ strncat (tmppath, "/calcurse-note.", BUFSIZ - strlen (tmppath) - 1);
if ((tmpext = new_tempfile (tmppath, TMPEXTSIZ)) == NULL)
return;
- strncat (tmppath, tmpext, BUFSIZ);
+ strncat (tmppath, tmpext, BUFSIZ - strlen (tmppath) - 1);
mem_free (tmpext);
if (*note != NULL)