Plan 9 from Bell Labs’s /usr/web/sources/contrib/mospak/abaco-modern/abaco-util-strcpy-bound.patch

Copyright © 2021 Plan 9 Foundation.
Distributed under the MIT License.
Download the Plan 9 distribution. 


abaco: bound the charset copy in convert()

convert() at util.c:956 copies the global `charset` string (set by
the -t command-line flag) into a 25-byte stack buffer with a bare
strcpy — no bound check.

    char t[25], buf[256];
    ...
    if(*t == '\0')
        strcpy(t, charset);

Real-world charset names fit easily (utf-8, windows-1252,
iso-8859-15 are all under 13 chars), so the overflow is never
triggered by sensible inputs.  But the function already has the
bounded idiom two calls earlier (util.c:947,
`snprint(buf, sizeof(buf), "%.*S", ...)`); swap the strcpy to
match.

    snprint(t, sizeof(t), "%s", charset);

No behaviour change for any sensible -t value.  Defensive tightening
against a malformed command-line argument that would otherwise
smash the stack frame of convert().

RFC relevance: none

--- sys/src/cmd/abaco/util.c
+++ sys/src/cmd/abaco/util.c
@@ -953,7 +953,7 @@
 		findctype(t, sizeof(t), "charset", buf);

 	if(*t == '\0')
-		strcpy(t, charset);
+		snprint(t, sizeof(t), "%s", charset);
 	return tcs(t, s, np);
 }

Bell Labs OSI certified Powered by Plan 9

(Return to Plan 9 Home Page)

Copyright © 2021 Plan 9 Foundation. All Rights Reserved.
Comments to webmaster@9p.io.