XlibInt: Use strncpy+zero termination instead of strcpy to enforce buffer size

Possible overrun of 8192 byte fixed size buffer "buffer" by copying "ext->name" without length checking Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Ander Conselvan de Oliveira <ander.conselvan-de-oliveira@nokia.com> Signed-off-by: Erkki Seppälä <erkki.seppala@vincit.fi> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

XlibInt: Use strncpy+zero termination instead of strcpy to enforce buffer size
20470a83 · Erkki Seppälä · Ulrich Sibiller · 7576f5f1 · 20470a83
Commit 20470a83 authored Jan 31, 2011 by Erkki Seppälä Committed by Ulrich Sibiller Oct 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

XlibInt.c nx-X11/lib/X11/XlibInt.c +4 -3

No files found.
--- a/nx-X11/lib/X11/XlibInt.c
+++ b/nx-X11/lib/X11/XlibInt.c
@@ -3528,9 +3528,10 @@ static int _XPrintDefaultError(
 	     ext && (ext->codes.major_opcode != event->request_code);
 	     ext = ext->next)
 	  ;
-	if (ext)
-	    strcpy(buffer, ext->name);
-	else
+	if (ext) {
+	    strncpy(buffer, ext->name, BUFSIZ);
+	    buffer[BUFSIZ - 1] = '\0';
+        } else
 	    buffer[0] = '\0';
    }
    (void) fprintf(fp, " (%s)\n", buffer);