From c17b535a33f9388e7eb183c3e1a0971259f4a5e6 Mon Sep 17 00:00:00 2001 From: Lukas Fleischer Date: Sat, 18 Feb 2012 15:40:01 +0100 Subject: Fix up strncat() usage The last argument to strncat() should not be the total buffer length; it should be the space remaining: The strncat() function shall append not more than n bytes (a null byte and bytes that follow it are not appended) from the array pointed to by s2 to the end of the string pointed to by s1. The initial byte of s2 overwrites the null byte at the end of s1. A terminating null byte is always appended to the result. This patch fixes a couple of potential buffer overflow vulnerabilities. Signed-off-by: Lukas Fleischer --- src/ical.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'src/ical.c') diff --git a/src/ical.c b/src/ical.c index 4360a76..ac158fc 100644 --- a/src/ical.c +++ b/src/ical.c @@ -447,8 +447,7 @@ ical_readline (FILE *fdi, char *buf, char *lstore, unsigned *ln) *eol = '\0'; if (*lstore != SPACE && *lstore != TAB) break; - strncat (buf, lstore + 1, BUFSIZ); - buf[BUFSIZ - 1] = '\0'; + strncat (buf, lstore + 1, BUFSIZ - strlen (buf) - 1); (*ln)++; } -- cgit v1.2.3-54-g00ecf