diff options
| author | Lukas Fleischer <calcurse@cryptocrack.de> | 2012-02-18 15:40:01 +0100 |
|---|---|---|
| committer | Lukas Fleischer <calcurse@cryptocrack.de> | 2012-02-18 16:00:18 +0100 |
| commit | c17b535a33f9388e7eb183c3e1a0971259f4a5e6 (patch) | |
| tree | 130e17a2b5abd48fd478f30ccf096e00ce5e6dfc /src | |
| parent | 9a8ea7ff91486b53511d49a1b1bb44d48a549018 (diff) | |
| download | calcurse-c17b535a33f9388e7eb183c3e1a0971259f4a5e6.tar.gz calcurse-c17b535a33f9388e7eb183c3e1a0971259f4a5e6.zip | |
Fix up strncat() usage
The last argument to strncat() should not be the total buffer length; it
should be the space remaining:
The strncat() function shall append not more than n bytes (a null
byte and bytes that follow it are not appended) from the array
pointed to by s2 to the end of the string pointed to by s1. The
initial byte of s2 overwrites the null byte at the end of s1. A
terminating null byte is always appended to the result.
This patch fixes a couple of potential buffer overflow vulnerabilities.
Signed-off-by: Lukas Fleischer <calcurse@cryptocrack.de>
Diffstat (limited to 'src')
| -rw-r--r-- | src/config.c | 4 | ||||
| -rw-r--r-- | src/ical.c | 3 | ||||
| -rw-r--r-- | src/keys.c | 4 | ||||
| -rw-r--r-- | src/note.c | 4 |
4 files changed, 7 insertions, 8 deletions
diff --git a/src/config.c b/src/config.c index 9bdb201..e965c1a 100644 --- a/src/config.c +++ b/src/config.c @@ -562,10 +562,10 @@ config_save (void) int i; strncpy (tmppath, get_tempdir (), BUFSIZ); - strncat (tmppath, "/" CONF_PATH_NAME ".", BUFSIZ); + strncat (tmppath, "/" CONF_PATH_NAME ".", BUFSIZ - strlen (tmppath) - 1); if ((tmpext = new_tempfile (tmppath, TMPEXTSIZ)) == NULL) return 0; - strncat (tmppath, tmpext, BUFSIZ); + strncat (tmppath, tmpext, BUFSIZ - strlen (tmppath) - 1); mem_free (tmpext); status.fp = fopen (tmppath, "w"); @@ -447,8 +447,7 @@ ical_readline (FILE *fdi, char *buf, char *lstore, unsigned *ln) *eol = '\0'; if (*lstore != SPACE && *lstore != TAB) break; - strncat (buf, lstore + 1, BUFSIZ); - buf[BUFSIZ - 1] = '\0'; + strncat (buf, lstore + 1, BUFSIZ - strlen (buf) - 1); (*ln)++; } @@ -436,7 +436,7 @@ keys_format_label (char *key, int keylen) { static char fmtkey[BUFSIZ]; const int len = strlen (key); - char *dot = "."; + const char dot = '.'; int i; if (keylen > BUFSIZ) @@ -455,7 +455,7 @@ keys_format_label (char *key, int keylen) { for (i = 0; i < keylen - 1; i++) fmtkey[i] = key[i]; - strncat (fmtkey, dot, strlen (dot)); + fmtkey[keylen - 1] = dot; } return fmtkey; } @@ -76,10 +76,10 @@ edit_note (char **note, char *editor) FILE *fp; strncpy (tmppath, get_tempdir (), BUFSIZ); - strncat (tmppath, "/calcurse-note.", BUFSIZ); + strncat (tmppath, "/calcurse-note.", BUFSIZ - strlen (tmppath) - 1); if ((tmpext = new_tempfile (tmppath, TMPEXTSIZ)) == NULL) return; - strncat (tmppath, tmpext, BUFSIZ); + strncat (tmppath, tmpext, BUFSIZ - strlen (tmppath) - 1); mem_free (tmpext); if (*note != NULL) |