[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Info-mtools] [PATCH] vfat: fix out-of-bounds write in autorename
|
From: |
Arsen Arsenović |
|
Subject: |
[Info-mtools] [PATCH] vfat: fix out-of-bounds write in autorename |
|
Date: |
Sat, 25 Nov 2023 23:35:06 +0100 |
In vfat.c:autorename, the rename routine updates the trailing two
characters of the non-null-terminated dos_name::base using sprintf,
however, sprintf writes a null terminator one past the end of the
buffer. To prevent this, we can use snprintf with and pass it the
output buffer size.
Detected via _FORTIFY_SOURCE=3.
Bug: https://bugs.gentoo.org/916028
---
Hi!
As the subject and the summary above state, this patch removes an out of
bounds buffer write in the autorename function. The bug above can be
exhibited via:
mcopy /dev/null ::/123456789.sys
This patch applies cleanly against mtools-4.0.43.tar.gz. I wasn't able
to find a VCS for mtools, so I just generated this patch via Git for
convenience sake.
Have a lovely day!
vfat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/vfat.c b/vfat.c
index 5247d99..ab23098 100644
--- a/vfat.c
+++ b/vfat.c
@@ -127,7 +127,7 @@ static void autorename(char *name,
tmp = name[dotpos];
if((bump && seqnum == 1) || seqnum > 1 || mtools_numeric_tail)
- sprintf(name+tildapos,"%c%d",tilda, seqnum);
+ snprintf(name+tildapos,limit-tildapos,"%c%d",tilda, seqnum);
if(dot)
name[dotpos]=tmp;
/* replace the character if it wasn't a space */
--
2.43.0
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Info-mtools] [PATCH] vfat: fix out-of-bounds write in autorename,
Arsen Arsenović <=