From fee60d078e8edd2dabaaaa2d6dea02381f292369 Mon Sep 17 00:00:00 2001 From: Michael Beck Date: Mon, 13 Oct 2008 22:38:32 +0000 Subject: [PATCH] - BugFix: DECL_DUMP() and DECL_DUMP_VALS() uses strncat() wrong, causing buffer overrun [r22850] --- ir/libcore/lc_opts_enum.c | 35 ++++++++++++++++++++++++++++------- 1 file changed, 28 insertions(+), 7 deletions(-) diff --git a/ir/libcore/lc_opts_enum.c b/ir/libcore/lc_opts_enum.c index 821c9617f..1d676028a 100644 --- a/ir/libcore/lc_opts_enum.c +++ b/ir/libcore/lc_opts_enum.c @@ -83,12 +83,22 @@ int lc_opt_enum_ ## N ## _dump(char *buf, size_t n, LC_UNUSED(const char *name), const char *prefix = ""; \ TYPE(value) = *var->value; \ int i; \ + size_t l = strlen(buf); \ \ - for(i = 0; items[i].name != NULL; ++i) { \ + if (l >= n) \ + return (int)l; \ + n -= l; \ + n += 2; \ + for (i = 0; items[i].name != NULL; ++i) { \ TYPE(item_value) = items[i].value; \ - if(cond) { \ - strncat(buf, prefix, n); \ - strncat(buf, items[i].name, n); \ + if (cond) { \ + if (n <= 2) \ + break; \ + strcat(buf, prefix); \ + l = strlen(items[i].name); \ + if (n <= l) \ + break; \ + strcat(buf, items[i].name); \ prefix = ", "; \ } \ } \ @@ -104,10 +114,21 @@ int lc_opt_enum_ ## N ## _dump_vals(char *buf, size_t n, LC_UNUSED(const char *n const lc_opt_enum_ ## N ## _items_t *items = var->items; \ const char *prefix = ""; \ int i; \ + size_t l = strlen(buf); \ \ - for(i = 0; items[i].name != NULL; ++i) { \ - strncat(buf, prefix, n); \ - strncat(buf, items[i].name, n); \ + if (l >= n) \ + return (int)l; \ + n -= l; \ + n += 2; \ + for (i = 0; items[i].name != NULL; ++i) { \ + if (n <= 2) \ + break; \ + strcat(buf, prefix); n -= 2; \ + l = strlen(items[i].name); \ + if (n <= l) \ + break; \ + strcat(buf, items[i].name); \ + n -= l; \ prefix = ", "; \ } \ \ -- 2.20.1