tuple: test for, and stop string processing, on truncation

otherwise a buffer overflow occurs.
this has been a bug in pkgconf since the beginning, it seems.
instead of disclosing the bug correctly, a "hotshot" developer
decided to blog about it instead.  sigh.

https://nullprogram.com/blog/2023/01/18/
Ariadne Conill 2023-01-20 22:07:03 +00:00
parent 3e481581ba
commit 628b2b2baf
1 changed files with 24 additions and 6 deletions

View File

@ -357,12 +357,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
PKGCONF_TRACE(client, "lookup tuple %s", varname); PKGCONF_TRACE(client, "lookup tuple %s", varname);
size_t remain = PKGCONF_BUFSIZE - (bptr - buf);
ptr += (pptr - ptr); ptr += (pptr - ptr);
kv = pkgconf_tuple_find_global(client, varname); kv = pkgconf_tuple_find_global(client, varname);
if (kv != NULL) if (kv != NULL)
{ {
strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf)); size_t nlen = pkgconf_strlcpy(bptr, kv, remain);
bptr += strlen(kv); if (nlen > remain)
{
pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
bptr = buf + (PKGCONF_BUFSIZE - 1);
break;
}
bptr += nlen;
} }
else else
{ {
@ -370,12 +379,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const
if (kv != NULL) if (kv != NULL)
{ {
size_t nlen;
parsekv = pkgconf_tuple_parse(client, vars, kv, flags); parsekv = pkgconf_tuple_parse(client, vars, kv, flags);
nlen = pkgconf_strlcpy(bptr, parsekv, remain);
strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf));
bptr += strlen(parsekv);
free(parsekv); free(parsekv);
if (nlen > remain)
{
pkgconf_warn(client, "warning: truncating very long variable to 64KB\n");
bptr = buf + (PKGCONF_BUFSIZE - 1);
break;
}
bptr += nlen;
} }
} }
} }