diff options
| author | László Várady <laszlo.varady93@gmail.com> | 2019-08-05 15:11:19 +0200 |
|---|---|---|
| committer | Allan McRae <allan@archlinux.org> | 2019-08-12 02:19:09 +0200 |
| commit | f9f22fded2f05ae1edb5af3bd0e3a4aba2f5ce34 (patch) | |
| tree | 304b45707585d6ad8a222f11dc8cc028631b78ca | |
| parent | 18a64400617259b34ccf014682fd8022d551a036 (diff) | |
| download | pacman-f9f22fded2f05ae1edb5af3bd0e3a4aba2f5ce34.tar.gz pacman-f9f22fded2f05ae1edb5af3bd0e3a4aba2f5ce34.tar.xz | |
pacman/callback: fix buffer over-read
Commit 11ab9aa9f5f0f3873df89c73e8715b82f485bd9b replaced a strcpy() call
with memcpy(), without copying the terminating null character.
Since fname is allocated with malloc(), subsequent strstr() calls will
overrun the buffer's boundary.
Signed-off-by: László Várady <laszlo.varady93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
| -rw-r--r-- | src/pacman/callback.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/src/pacman/callback.c b/src/pacman/callback.c index aa5f521e..fc4ce875 100644 --- a/src/pacman/callback.c +++ b/src/pacman/callback.c @@ -765,7 +765,7 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total) len = strlen(filename); fname = malloc(len + 1); - memcpy(fname, filename, len); + memcpy(fname, filename, len + 1); /* strip package or DB extension for cleaner look */ if((p = strstr(fname, ".pkg")) || (p = strstr(fname, ".db")) || (p = strstr(fname, ".files"))) { /* tack on a .sig suffix for signatures */ @@ -777,8 +777,8 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total) } else { len = p - fname; } + fname[len] = '\0'; } - fname[len] = '\0'; /* 1 space + filenamelen + 1 space + 6 for size + 1 space + 3 for label + * + 2 spaces + 4 for rate + 1 space + 3 for label + 2 for /s + 1 space + |