tuple: test for, and stop string processing, on truncation

otherwise a buffer overflow occurs. this has been a bug in pkgconf since the beginning, it seems. instead of disclosing the bug correctly, a "hotshot" developer decided to blog about it instead. sigh. https://nullprogram.com/blog/2023/01/18/
5 months ago · 628b2b2baf
parent 3e481581ba
commit 628b2b2baf
1 changed files with 23 additions and 5 deletions
--- a/libpkgconf/tuple.c
+++ b/libpkgconf/tuple.c
@ -357,12 +357,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const

 			PKGCONF_TRACE(client, "lookup tuple %s", varname);

+			size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
 			ptr += (pptr - ptr);
 			kv = pkgconf_tuple_find_global(client, varname);
 			if (kv != NULL)
 			{
-				strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
-				bptr += strlen(kv);
+				size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
+				if (nlen > remain)
+				{
+					pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
+
+					bptr = buf + (PKGCONF_BUFSIZE - 1);
+					break;
+				}
+
+				bptr += nlen;
 			}
 			else
 			{
@ -370,12 +379,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const

 				if (kv != NULL)
 				{
+					size_t nlen;
+
 					parsekv = pkgconf_tuple_parse(client, vars, kv, flags);
+					nlen = pkgconf_strlcpy(bptr, parsekv, remain);
+					free(parsekv);

-					strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
-					bptr += strlen(parsekv);
+					if (nlen > remain)
+					{
+						pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");

-					free(parsekv);
+						bptr = buf + (PKGCONF_BUFSIZE - 1);
+						break;
+					}
+
+					bptr += nlen;
 				}
 			}
 		}