From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Jim Meyering Newsgroups: gmane.emacs.bugs Subject: bug#11372: [PATCH] avoid buffer overrun: NUL-terminate after strncpy Date: Sat, 28 Apr 2012 23:56:45 +0200 Message-ID: <87vckjmsf6.fsf@rho.meyering.net> NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: dough.gmane.org 1335650284 30319 80.91.229.3 (28 Apr 2012 21:58:04 GMT) X-Complaints-To: usenet@dough.gmane.org NNTP-Posting-Date: Sat, 28 Apr 2012 21:58:04 +0000 (UTC) To: 11372@debbugs.gnu.org Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Apr 28 23:58:03 2012 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by plane.gmane.org with esmtp (Exim 4.69) (envelope-from ) id 1SOFeU-0005RV-1w for geb-bug-gnu-emacs@m.gmane.org; Sat, 28 Apr 2012 23:58:02 +0200 Original-Received: from localhost ([::1]:54419 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFeT-0006AQ-IN for geb-bug-gnu-emacs@m.gmane.org; Sat, 28 Apr 2012 17:58:01 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:59502) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFeQ-0006A9-7g for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:57:59 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SOFeO-0007Wy-Ba for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:57:57 -0400 Original-Received: from [140.186.70.43] (port=56166 helo=debbugs.gnu.org) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFeO-0007WP-7x for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:57:56 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.72) (envelope-from ) id 1SOFfR-0001Se-OG for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:59:01 -0400 X-Loop: help-debbugs@gnu.org Resent-From: Jim Meyering Original-Sender: debbugs-submit-bounces@debbugs.gnu.org Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 28 Apr 2012 21:59:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 11372 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: patch X-Debbugs-Original-To: bug-emacs@gnu.org Original-Received: via spool by submit@debbugs.gnu.org id=B.13356503155583 (code B ref -1); Sat, 28 Apr 2012 21:59:01 +0000 Original-Received: (at submit) by debbugs.gnu.org; 28 Apr 2012 21:58:35 +0000 Original-Received: from localhost ([127.0.0.1]:57200 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SOFf1-0001Rz-03 for submit@debbugs.gnu.org; Sat, 28 Apr 2012 17:58:35 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:50761) by debbugs.gnu.org with esmtp (Exim 4.72) (envelope-from ) id 1SOFef-0001RR-VV for submit@debbugs.gnu.org; Sat, 28 Apr 2012 17:58:33 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SOFdP-0007Pw-HJ for submit@debbugs.gnu.org; Sat, 28 Apr 2012 17:56:56 -0400 Original-Received: from lists.gnu.org ([208.118.235.17]:35759) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFdP-0007Ph-Df for submit@debbugs.gnu.org; Sat, 28 Apr 2012 17:56:55 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:59393) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFdN-00069J-Kx for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:56:54 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SOFdL-0007Nm-CI for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:56:53 -0400 Original-Received: from fencepost.gnu.org ([208.118.235.10]:33590) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFdL-0007Ni-8x for bug-gnu-emacs@gnu.org; Sat, 28 Apr 2012 17:56:51 -0400 Original-Received: from eggs.gnu.org ([208.118.235.92]:55411) by fencepost.gnu.org with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1SOFdK-0004vM-J9 for bug-emacs@gnu.org; Sat, 28 Apr 2012 17:56:50 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1SOFdI-0007N7-Bd for bug-emacs@gnu.org; Sat, 28 Apr 2012 17:56:49 -0400 Original-Received: from mx.meyering.net ([88.168.87.75]:54321) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1SOFdI-0007Mn-16 for bug-emacs@gnu.org; Sat, 28 Apr 2012 17:56:48 -0400 Original-Received: from rho.meyering.net (localhost.localdomain [127.0.0.1]) by rho.meyering.net (Acme Bit-Twister) with ESMTP id 6FA9C60140 for ; Sat, 28 Apr 2012 23:56:45 +0200 (CEST) Original-Lines: 77 X-detected-operating-system: by eggs.gnu.org: Genre and OS details not recognized. X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 3) X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.13 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) X-Received-From: 140.186.70.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.bugs:59606 Archived-At: strncpy is often misused. I would argue that nearly any use constitutes misuse. Here are a few fixes: 2012-04-28 Jim Meyering avoid buffer overrun: NUL-terminate after strncpy * lib-src/pop.c (pop_stat, pop_list, pop_multi_first, pop_last): NUL-terminate the error buffer. * src/w32font.c (fill_in_logfont): NUL-terminate logfont face name. --- lib-src/pop.c | 8 +++++++- src/w32font.c | 7 +++++-- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/lib-src/pop.c b/lib-src/pop.c index 37494d1..c4c7f2b 100644 --- a/lib-src/pop.c +++ b/lib-src/pop.c @@ -346,6 +346,7 @@ pop_stat (popserver server, int *count, int *size) if (0 == strncmp (fromserver, "-ERR", 4)) { strncpy (pop_error, fromserver, ERROR_MAX); + pop_error[ERROR_MAX-1] = '\0'; } else { @@ -447,7 +448,10 @@ pop_list (popserver server, int message, int **IDs, int **sizes) if (strncmp (fromserver, "+OK ", 4)) { if (! strncmp (fromserver, "-ERR", 4)) - strncpy (pop_error, fromserver, ERROR_MAX); + { + strncpy (pop_error, fromserver, ERROR_MAX); + pop_error[ERROR_MAX-1] = '\0'; + } else { strcpy (pop_error, @@ -687,6 +691,7 @@ pop_multi_first (popserver server, const char *command, char **response) if (0 == strncmp (*response, "-ERR", 4)) { strncpy (pop_error, *response, ERROR_MAX); + pop_error[ERROR_MAX-1] = '\0'; return (-1); } else if (0 == strncmp (*response, "+OK", 3)) @@ -860,6 +865,7 @@ pop_last (popserver server) if (! strncmp (fromserver, "-ERR", 4)) { strncpy (pop_error, fromserver, ERROR_MAX); + pop_error[ERROR_MAX-1] = '\0'; return (-1); } else if (strncmp (fromserver, "+OK ", 4)) diff --git a/src/w32font.c b/src/w32font.c index dab9f4c..8badace 100644 --- a/src/w32font.c +++ b/src/w32font.c @@ -2045,8 +2045,11 @@ fill_in_logfont (FRAME_PTR f, LOGFONT *logfont, Lisp_Object font_spec) /* Font families are interned, but allow for strings also in case of user input. */ else if (SYMBOLP (tmp)) - strncpy (logfont->lfFaceName, - SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE); + { + strncpy (logfont->lfFaceName, + SDATA (ENCODE_SYSTEM (SYMBOL_NAME (tmp))), LF_FACESIZE); + logfont->lfFaceName[LF_FACESIZE-1] = '\0'; + } } tmp = AREF (font_spec, FONT_ADSTYLE_INDEX); -- 1.7.10.382.g62bc8