From 628b2b2bafa5d3a2017193ddf375093e70666059 Mon Sep 17 00:00:00 2001 From: Ariadne Conill Date: Fri, 20 Jan 2023 22:07:03 +0000 Subject: [PATCH] tuple: test for, and stop string processing, on truncation otherwise a buffer overflow occurs. this has been a bug in pkgconf since the beginning, it seems. instead of disclosing the bug correctly, a "hotshot" developer decided to blog about it instead. sigh. https://nullprogram.com/blog/2023/01/18/ --- libpkgconf/tuple.c | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c index acd6624..d4d14de 100644 --- a/libpkgconf/tuple.c +++ b/libpkgconf/tuple.c @@ -357,12 +357,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const PKGCONF_TRACE(client, "lookup tuple %s", varname); + size_t remain = PKGCONF_BUFSIZE - (bptr - buf); ptr += (pptr - ptr); kv = pkgconf_tuple_find_global(client, varname); if (kv != NULL) { - strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf)); - bptr += strlen(kv); + size_t nlen = pkgconf_strlcpy(bptr, kv, remain); + if (nlen > remain) + { + pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); + + bptr = buf + (PKGCONF_BUFSIZE - 1); + break; + } + + bptr += nlen; } else { @@ -370,12 +379,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const if (kv != NULL) { + size_t nlen; + parsekv = pkgconf_tuple_parse(client, vars, kv, flags); - - strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf)); - bptr += strlen(parsekv); - + nlen = pkgconf_strlcpy(bptr, parsekv, remain); free(parsekv); + + if (nlen > remain) + { + pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); + + bptr = buf + (PKGCONF_BUFSIZE - 1); + break; + } + + bptr += nlen; } } }