forked from ariadne/pkgconf
tuple: test for, and stop string processing, on truncation
otherwise a buffer overflow occurs. this has been a bug in pkgconf since the beginning, it seems. instead of disclosing the bug correctly, a "hotshot" developer decided to blog about it instead. sigh. https://nullprogram.com/blog/2023/01/18/master
parent
3e481581ba
commit
628b2b2baf
|
@ -357,12 +357,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
|
||||||
|
|
||||||
PKGCONF_TRACE(client, "lookup tuple %s", varname);
|
PKGCONF_TRACE(client, "lookup tuple %s", varname);
|
||||||
|
|
||||||
|
size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
|
||||||
ptr += (pptr - ptr);
|
ptr += (pptr - ptr);
|
||||||
kv = pkgconf_tuple_find_global(client, varname);
|
kv = pkgconf_tuple_find_global(client, varname);
|
||||||
if (kv != NULL)
|
if (kv != NULL)
|
||||||
{
|
{
|
||||||
strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf));
|
size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
|
||||||
bptr += strlen(kv);
|
if (nlen > remain)
|
||||||
|
{
|
||||||
|
pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
|
||||||
|
|
||||||
|
bptr = buf + (PKGCONF_BUFSIZE - 1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
bptr += nlen;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
|
@ -370,12 +379,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
|
||||||
|
|
||||||
if (kv != NULL)
|
if (kv != NULL)
|
||||||
{
|
{
|
||||||
|
size_t nlen;
|
||||||
|
|
||||||
parsekv = pkgconf_tuple_parse(client, vars, kv, flags);
|
parsekv = pkgconf_tuple_parse(client, vars, kv, flags);
|
||||||
|
nlen = pkgconf_strlcpy(bptr, parsekv, remain);
|
||||||
strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
|
|
||||||
bptr += strlen(parsekv);
|
|
||||||
|
|
||||||
free(parsekv);
|
free(parsekv);
|
||||||
|
|
||||||
|
if (nlen > remain)
|
||||||
|
{
|
||||||
|
pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
|
||||||
|
|
||||||
|
bptr = buf + (PKGCONF_BUFSIZE - 1);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
bptr += nlen;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue