bryson/pacman
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

pacman/callback: fix buffer over-read

Browse source 
Commit 11ab9aa9f5 replaced a strcpy() call
with memcpy(), without copying the terminating null character.

Since fname is allocated with malloc(), subsequent strstr() calls will
overrun the buffer's boundary.

Signed-off-by: László Várady <laszlo.varady93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
This commit is contained in:
László Várady 2019-08-05 15:11:19 +02:00 committed by Allan McRae
parent 18a6440061
commit f9f22fded2
1 changed files with 2 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
src/pacman/callback.c
View file

@ -765,7 +765,7 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total)
len = strlen(filename);
fname = malloc(len + 1);
memcpy(fname, filename, len);
memcpy(fname, filename, len + 1);
/* strip package or DB extension for cleaner look */
if((p = strstr(fname, ".pkg")) || (p = strstr(fname, ".db")) || (p = strstr(fname, ".files"))) {
/* tack on a .sig suffix for signatures */
@ -777,8 +777,8 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total)
} else {
len = p - fname;
}
}
fname[len] = '\0';
}
/* 1 space + filenamelen + 1 space + 6 for size + 1 space + 3 for label +
* + 2 spaces + 4 for rate + 1 space + 3 for label + 2 for /s + 1 space +