From 0589fa10763adc6e984f0b79bb7e6d087123063f Mon Sep 17 00:00:00 2001 From: Russell Bryant Date: Thu, 10 Jan 2008 03:24:11 +0000 Subject: (add patch from issue #1852385) This patch provides a revised implementation of the strtokcpy() function in s_path.c. It provides the following benefits: 1) Prevent potential overflow of a stack buffer. This function did nothing to ensure that it didn't write past the end of the destination buffer. It is possible to cause this to happen by providing certain command line arguments that are longer than MAXPDSTRING. Also, there may be other ways to trigger this bug if namelist_append_files() is used anywhere beyond the uses I reviewed, which are the ones in pd/*.c. 2) Copy bytes from the string in the same loop that looks for the delimiter. This is simply for efficiency in that the string only has to be traversed once, instead of twice (one to find the delimiter, and the second to copy up to it). svn path=/trunk/; revision=9143 --- packages/patches/strtokcpy-0.41.0-test10.patch | 59 ++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 packages/patches/strtokcpy-0.41.0-test10.patch (limited to 'packages/patches') diff --git a/packages/patches/strtokcpy-0.41.0-test10.patch b/packages/patches/strtokcpy-0.41.0-test10.patch new file mode 100644 index 00000000..aa167793 --- /dev/null +++ b/packages/patches/strtokcpy-0.41.0-test10.patch @@ -0,0 +1,59 @@ +Index: s_path.c +=================================================================== +RCS file: /cvsroot/pure-data/pd/src/s_path.c,v +retrieving revision 1.11 +diff -u -u -r1.11 s_path.c +--- s_path.c 8 Sep 2006 23:45:31 -0000 1.11 ++++ s_path.c 17 Dec 2007 14:54:32 -0000 +@@ -64,21 +64,29 @@ + + /******************* Utility functions used below ******************/ + +-/* copy until delimiter and return position after delimiter in string */ +-/* if it was the last substring, return NULL */ ++/*! ++ * \brief copy until delimiter ++ * ++ * \arg to destination buffer ++ * \arg to_len destination buffer length ++ * \arg from source buffer ++ * \arg delim string delimiter to stop copying on ++ * ++ * \return position after delimiter in string. If it was the last ++ * substring, return NULL. ++ */ ++static const char *strtokcpy(char *to, size_t to_len, const char *from, char delim) ++{ ++ unsigned int i = 0; ++ ++ for (; i < (to_len - 1) && from[i] && from[i] != delim; i++) ++ to[i] = from[i]; ++ to[i] = '\0'; + +-static const char* strtokcpy(char *to, const char *from, int delim) +-{ +- int size = 0; +- +- while (from[size] != (char)delim && from[size] != '\0') +- size++; ++ if (i && from[i] != '\0') ++ return from + i + 1; + +- strncpy(to,from,size); +- to[size] = '\0'; +- if (from[size] == '\0') return NULL; +- if (size) return from+size+1; +- else return NULL; ++ return NULL; + } + + /* add a single item to a namelist. If "allowdup" is true, duplicates +@@ -126,7 +134,7 @@ + npos = s; + do + { +- npos = strtokcpy(temp, npos, SEPARATOR); ++ npos = strtokcpy(temp, sizeof(temp), npos, SEPARATOR); + if (! *temp) continue; + nl = namelist_append(nl, temp, 0); + } -- cgit v1.2.1