From 628b2b2bafa5d3a2017193ddf375093e70666059 Mon Sep 17 00:00:00 2001 From: Ariadne Conill Date: Fri, 20 Jan 2023 22:07:03 +0000 Subject: [PATCH] tuple: test for, and stop string processing, on truncation otherwise a buffer overflow occurs. this has been a bug in pkgconf since the beginning, it seems. instead of disclosing the bug correctly, a "hotshot" developer decided to blog about it instead. sigh. https://nullprogram.com/blog/2023/01/18/ --- libpkgconf/tuple.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/libpkgconf/tuple.c b/libpkgconf/tuple.c index 2d550d8..b831070 100644 --- a/libpkgconf/tuple.c +++ b/libpkgconf/tuple.c @@ -293,12 +293,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const } } + size_t remain = PKGCONF_BUFSIZE - (bptr - buf); ptr += (pptr - ptr); kv = pkgconf_tuple_find_global(client, varname); if (kv != NULL) { - strncpy(bptr, kv, PKGCONF_BUFSIZE - (bptr - buf)); - bptr += strlen(kv); + size_t nlen = pkgconf_strlcpy(bptr, kv, remain); + if (nlen > remain) + { + pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); + + bptr = buf + (PKGCONF_BUFSIZE - 1); + break; + } + + bptr += nlen; } else { @@ -306,12 +315,21 @@ pkgconf_tuple_parse(const pkgconf_client_t *client, pkgconf_list_t *vars, const if (kv != NULL) { + size_t nlen; + parsekv = pkgconf_tuple_parse(client, vars, kv); + nlen = pkgconf_strlcpy(bptr, parsekv, remain); + free(parsekv); - strncpy(bptr, parsekv, PKGCONF_BUFSIZE - (bptr - buf)); - bptr += strlen(parsekv); + if (nlen > remain) + { + pkgconf_warn(client, "warning: truncating very long variable to 64KB\n"); - free(parsekv); + bptr = buf + (PKGCONF_BUFSIZE - 1); + break; + } + + bptr += nlen; } } } -- 2.33.0