Blame clamav-0.88.1-strncpy.patch
|
|
a4a6d25 |
2006-04-24 Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
|
|
|
a4a6d25 |
|
|
|
a4a6d25 |
* libclamav/unrarlib.c/stricomp(): terminate the string copied
|
|
|
a4a6d25 |
with strncpy() explicitly with '\0'. Does not seem to be
|
|
|
a4a6d25 |
exploitable at the moment due to deeply buried constraints
|
|
|
a4a6d25 |
(function will be called for buffers with a static size of
|
|
|
a4a6d25 |
260 only).
|
|
|
a4a6d25 |
|
|
|
a4a6d25 |
But it is better to fix it now than to run into problems
|
|
|
a4a6d25 |
when function is used for other purposes.
|
|
|
a4a6d25 |
|
|
|
a4a6d25 |
--- clamav-0.88.1/libclamav/unrarlib.c.strncpy 2005-06-23 22:03:12.000000000 +0200
|
|
|
a4a6d25 |
+++ clamav-0.88.1/libclamav/unrarlib.c 2006-04-24 23:10:07.000000000 +0200
|
|
|
a4a6d25 |
@@ -1180,8 +1180,10 @@ int stricomp(char *Str1,char *Str2)
|
|
|
a4a6d25 |
char S1[512],S2[512];
|
|
|
a4a6d25 |
char *chptr;
|
|
|
a4a6d25 |
|
|
|
a4a6d25 |
- strncpy(S1,Str1,sizeof(S1));
|
|
|
a4a6d25 |
- strncpy(S2,Str2,sizeof(S2));
|
|
|
a4a6d25 |
+ strncpy(S1,Str1,sizeof(S1));
|
|
|
a4a6d25 |
+ strncpy(S2,Str2,sizeof(S2));
|
|
|
a4a6d25 |
+ S1[sizeof(S1)-1] = '\0';
|
|
|
a4a6d25 |
+ S2[sizeof(S2)-1] = '\0';
|
|
|
a4a6d25 |
|
|
|
a4a6d25 |
while((chptr = strchr(S1, '\\')) != NULL) /* ignore backslash */
|
|
|
a4a6d25 |
{
|