bug#11372: [PATCH] avoid buffer overrun: NUL-terminate after strncpy

bug-gnu-emacs

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#11372: [PATCH] avoid buffer overrun: NUL-terminate after strncpy

From:	Jim Meyering
Subject:	bug#11372: [PATCH] avoid buffer overrun: NUL-terminate after strncpy
Date:	Sat, 28 Apr 2012 23:56:45 +0200

strncpy is often misused.
I would argue that nearly any use constitutes misuse.

Here are a few fixes:

2012-04-28  Jim Meyering  <meyering@redhat.com>

        avoid buffer overrun: NUL-terminate after strncpy
        * lib-src/pop.c (pop_stat, pop_list, pop_multi_first, pop_last):
        NUL-terminate the error buffer.
        * src/w32font.c (fill_in_logfont): NUL-terminate logfont face name.

---
 lib-src/pop.c |    8 +++++++-
 src/w32font.c |    7 +++++--
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/lib-src/pop.c b/lib-src/pop.c
index 37494d1..c4c7f2b 100644
--- a/lib-src/pop.c
+++ b/lib-src/pop.c
@@ -346,6 +346,7 @@ pop_stat (popserver server, int *count, int *size)
       if (0 == strncmp (fromserver, "-ERR", 4))
        {
          strncpy (pop_error, fromserver, ERROR_MAX);
+         pop_error[ERROR_MAX-1] = '\0';
        }
       else
        {
@@ -447,7 +448,10 @@ pop_list (popserver server, int message, int **IDs, int 
**sizes)
       if (strncmp (fromserver, "+OK ", 4))
        {
          if (! strncmp (fromserver, "-ERR", 4))
-           strncpy (pop_error, fromserver, ERROR_MAX);
+           {
+             strncpy (pop_error, fromserver, ERROR_MAX);
+             pop_error[ERROR_MAX-1] = '\0';
+           }
          else
            {
              strcpy (pop_error,
@@ -687,6 +691,7 @@ pop_multi_first (popserver server, const char *command, 
char **response)
   if (0 == strncmp (*response, "-ERR", 4))
     {
       strncpy (pop_error, *response, ERROR_MAX);
+      pop_error[ERROR_MAX-1] = '\0';
       return (-1);
     }
   else if (0 == strncmp (*response, "+OK", 3))
@@ -860,6 +865,7 @@ pop_last (popserver server)
   if (! strncmp (fromserver, "-ERR", 4))
     {
       strncpy (pop_error, fromserver, ERROR_MAX);
+      pop_error[ERROR_MAX-1] = '\0';
       return (-1);
     }
   else if (strncmp (fromserver, "+OK ", 4))
diff --git a/src/w32font.c b/src/w32font.c
index dab9f4c..8badace 100644
--- a/src/w32font.c
+++ b/src/w32font.c
@@ -2045,8 +2045,11 @@ fill_in_logfont (FRAME_PTR f, LOGFONT *logfont, 
Lisp_Object font_spec)
         /* Font families are interned, but allow for strings also in case of
            user input.  */
       else if (SYMBOLP (tmp))
-        strncpy (logfont->lfFaceName,
-                SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE);
+       {
+         strncpy (logfont->lfFaceName,
+                  SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE);
+         logfont->lfFaceName[LF_FACESIZE-1] = '\0';
+       }
     }

   tmp = AREF (font_spec, FONT_ADSTYLE_INDEX);
--
1.7.10.382.g62bc8

[Prev in Thread]

Current Thread

[Next in Thread]

bug#11372: [PATCH] avoid buffer overrun: NUL-terminate after strncpy, Jim Meyering <=

Prev by Date: bug#10781: EIEIO namespace use
Next by Date: bug#11373: [PATCH] xterm.c: Use memcpy in place of unwarranted strncpy.
Previous by thread: bug#10781: EIEIO namespace use
Next by thread: bug#11373: [PATCH] xterm.c: Use memcpy in place of unwarranted strncpy.
Index(es):
- Date
- Thread