aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Wielaard <mark@klomp.org>2019-06-24 00:14:02 +0200
committerMark Wielaard <mark@klomp.org>2019-06-24 00:14:06 +0200
commit833548edc0eb4af85ce8da193835f0f31a6c300f (patch)
tree0e7937211f4e0a6b278288b8aa82bc247a87b40f
parent02fe3ca2349e45eee6dff6ca46bf9a9187f382c5 (diff)
downloadbzip2-833548edc0eb4af85ce8da193835f0f31a6c300f.tar.gz
bzip2-833548edc0eb4af85ce8da193835f0f31a6c300f.tar.bz2
bzip2-833548edc0eb4af85ce8da193835f0f31a6c300f.zip
bzip2recover: Fix buffer overflow for large argv[0].
bzip2recover.c (main) copies argv[0] to a statically sized buffer without checking whether argv[0] might be too big (> 2000 chars). This patch comes from Fedora and was originally reported at https://bugzilla.redhat.com/show_bug.cgi?id=226979
-rw-r--r--bzip2recover.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/bzip2recover.c b/bzip2recover.c
index 06ac1f5..1a70e04 100644
--- a/bzip2recover.c
+++ b/bzip2recover.c
@@ -309,7 +309,8 @@ Int32 main ( Int32 argc, Char** argv )
309 UInt32 buffHi, buffLo, blockCRC; 309 UInt32 buffHi, buffLo, blockCRC;
310 Char* p; 310 Char* p;
311 311
312 strcpy ( progName, argv[0] ); 312 strncpy ( progName, argv[0], BZ_MAX_FILENAME-1);
313 progName[BZ_MAX_FILENAME-1]='\0';
313 inFileName[0] = outFileName[0] = 0; 314 inFileName[0] = outFileName[0] = 0;
314 315
315 fprintf ( stderr, 316 fprintf ( stderr,