[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 1/2] Fix overread by 1 byte in pk_cmd_get_next_match()
|
From: |
Dan Čermák |
|
Subject: |
[PATCH 1/2] Fix overread by 1 byte in pk_cmd_get_next_match() |
|
Date: |
Fri, 13 Dec 2019 00:08:31 +0100 |
From: Dan Čermák <address@hidden>
The name string was generated with the wrong length: strlen() returns the length
of (*c)->name _excluding_ \0, but we must allocated enough bytes for
'.' + strlen((*c)->name) + '\0' => strlen((*c)->name) + 2.
Furthermore, since we only need to copy a single character into name, we just
write the char directly instead of invoking strcpy and then use strncpy instead
of the notoriously unsafe strcat.
---
src/pk-cmd.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/src/pk-cmd.c b/src/pk-cmd.c
index 7d703b1..abc2115 100644
--- a/src/pk-cmd.c
+++ b/src/pk-cmd.c
@@ -787,9 +787,11 @@ pk_cmd_get_next_match (int *idx, const char *x, size_t len)
if (*c == &null_cmd)
break;
- char *name = xmalloc (strlen ((*c)->name) + 1);
- strcpy (name, ".");
- strcat (name, (*c)->name);
+ /* don't forget the null terminator of name */
+ const size_t name_len = strlen ((*c)->name);
+ char *name = xmalloc (name_len + 2);
+ name[0] = '.';
+ strncpy (name+1, (*c)->name, name_len + 1);
if (0 != strncmp (name, x, len))
{
free (name);
--
2.23.0
- [PATCH 1/2] Fix overread by 1 byte in pk_cmd_get_next_match(),
Dan Čermák <=