Dialog.c: fix possible buffer overflows

Fix write past the end of singlePath if PATH contains dirs longer than PATH_MAX.

Dialog.c: fix possible buffer overflows
3de6bc74 · Ulrich Sibiller · 4a345786 · 3de6bc74
Commit 3de6bc74 authored Nov 23, 2017 by Ulrich Sibiller
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 0 deletions

Display.c nx-X11/programs/Xserver/hw/nxagent/Display.c +13 -0

No files found.
--- a/nx-X11/programs/Xserver/hw/nxagent/Display.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/Display.c
@@ -1842,6 +1842,13 @@ static FILE *nxagentLookForIconFile(char *iconName, const char *permission,

    if (end != NULL)
    {
+      if ((end - path) > sizeof(singlePath) - 1)
+      {
+        fprintf(stderr, "Warning: Path too long - ignored.\n");
+        path = end + 1;
+        continue;
+      }
+
      strncpy(singlePath, path, (unsigned long)(end - path));

      singlePath[(unsigned long)(end - path)] = '\0';
@@ -1850,6 +1857,12 @@ static FILE *nxagentLookForIconFile(char *iconName, const char *permission,
    }
    else
    {
+      if (strlen(path) > sizeof(singlePath) - 1)
+      {
+        fprintf(stderr, "Error: Path too long.\n");
+        return NULL;
+      }
+
      strcpy(singlePath, path);

      breakLoop = 1;