diff options
| author | Mark Wielaard <mark@klomp.org> | 2019-06-24 00:14:02 +0200 |
|---|---|---|
| committer | Mark Wielaard <mark@klomp.org> | 2019-06-24 00:14:06 +0200 |
| commit | 833548edc0eb4af85ce8da193835f0f31a6c300f (patch) | |
| tree | 0e7937211f4e0a6b278288b8aa82bc247a87b40f | |
| parent | 02fe3ca2349e45eee6dff6ca46bf9a9187f382c5 (diff) | |
| download | bzip2-833548edc0eb4af85ce8da193835f0f31a6c300f.tar.gz bzip2-833548edc0eb4af85ce8da193835f0f31a6c300f.tar.bz2 bzip2-833548edc0eb4af85ce8da193835f0f31a6c300f.zip | |
bzip2recover: Fix buffer overflow for large argv[0].
bzip2recover.c (main) copies argv[0] to a statically sized buffer
without checking whether argv[0] might be too big (> 2000 chars).
This patch comes from Fedora and was originally reported at
https://bugzilla.redhat.com/show_bug.cgi?id=226979
| -rw-r--r-- | bzip2recover.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/bzip2recover.c b/bzip2recover.c index 06ac1f5..1a70e04 100644 --- a/bzip2recover.c +++ b/bzip2recover.c | |||
| @@ -309,7 +309,8 @@ Int32 main ( Int32 argc, Char** argv ) | |||
| 309 | UInt32 buffHi, buffLo, blockCRC; | 309 | UInt32 buffHi, buffLo, blockCRC; |
| 310 | Char* p; | 310 | Char* p; |
| 311 | 311 | ||
| 312 | strcpy ( progName, argv[0] ); | 312 | strncpy ( progName, argv[0], BZ_MAX_FILENAME-1); |
| 313 | progName[BZ_MAX_FILENAME-1]='\0'; | ||
| 313 | inFileName[0] = outFileName[0] = 0; | 314 | inFileName[0] = outFileName[0] = 0; |
| 314 | 315 | ||
| 315 | fprintf ( stderr, | 316 | fprintf ( stderr, |