From f9f22fded2f05ae1edb5af3bd0e3a4aba2f5ce34 Mon Sep 17 00:00:00 2001
From: László Várady <laszlo.varady93@gmail.com>
Date: Mon, 5 Aug 2019 15:11:19 +0200
Subject: pacman/callback: fix buffer over-read
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Commit 11ab9aa9f5f0f3873df89c73e8715b82f485bd9b replaced a strcpy() call
with memcpy(), without copying the terminating null character.

Since fname is allocated with malloc(), subsequent strstr() calls will
overrun the buffer's boundary.

Signed-off-by: László Várady <laszlo.varady93@gmail.com>
Signed-off-by: Allan McRae <allan@archlinux.org>
---
 src/pacman/callback.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/pacman/callback.c b/src/pacman/callback.c
index aa5f521e..fc4ce875 100644
--- a/src/pacman/callback.c
+++ b/src/pacman/callback.c
@@ -765,7 +765,7 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total)
 
 	len = strlen(filename);
 	fname = malloc(len + 1);
-	memcpy(fname, filename, len);
+	memcpy(fname, filename, len + 1);
 	/* strip package or DB extension for cleaner look */
 	if((p = strstr(fname, ".pkg")) || (p = strstr(fname, ".db")) || (p = strstr(fname, ".files"))) {
 		/* tack on a .sig suffix for signatures */
@@ -777,8 +777,8 @@ void cb_dl_progress(const char *filename, off_t file_xfered, off_t file_total)
 		} else {
 			len = p - fname;
 		}
+		fname[len] = '\0';
 	}
-	fname[len] = '\0';
 
 	/* 1 space + filenamelen + 1 space + 6 for size + 1 space + 3 for label +
 	 * + 2 spaces + 4 for rate + 1 space + 3 for label + 2 for /s + 1 space +
-- 
cgit v1.2.3-24-g4f1b