Date: Thu, 26 May 2016 01:33:24 +0000 (UTC) From: Don Lewis <truckman@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r300705 - head/usr.bin/fortune/unstr Message-ID: <201605260133.u4Q1XOl5087710@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: truckman Date: Thu May 26 01:33:24 2016 New Revision: 300705 URL: https://svnweb.freebsd.org/changeset/base/300705 Log: Avoid buffer overflow when copying the input file name and appending .dat. Check the return value from fread() to be sure that it was successful. Reported by: Coverity CID: 1006709, 1009452 MFC after: 1 week Modified: head/usr.bin/fortune/unstr/unstr.c Modified: head/usr.bin/fortune/unstr/unstr.c ============================================================================== --- head/usr.bin/fortune/unstr/unstr.c Thu May 26 01:19:13 2016 (r300704) +++ head/usr.bin/fortune/unstr/unstr.c Thu May 26 01:33:24 2016 (r300705) @@ -86,13 +86,19 @@ main(int argc, char *argv[]) exit(1); } Infile = argv[1]; - strcpy(Datafile, Infile); - strcat(Datafile, ".dat"); + if ((size_t)snprintf(Datafile, sizeof(Datafile), "%s.dat", Infile) >= + sizeof(Datafile)) + errx(1, "%s name too long", Infile); if ((Inf = fopen(Infile, "r")) == NULL) err(1, "%s", Infile); if ((Dataf = fopen(Datafile, "r")) == NULL) err(1, "%s", Datafile); - fread((char *)&tbl, sizeof(tbl), 1, Dataf); + if (fread((char *)&tbl, sizeof(tbl), 1, Dataf) != 1) { + if (feof(Dataf)) + errx(1, "%s read EOF", Datafile); + else + err(1, "%s read", Datafile); + } tbl.str_version = be32toh(tbl.str_version); tbl.str_numstr = be32toh(tbl.str_numstr); tbl.str_longlen = be32toh(tbl.str_longlen);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201605260133.u4Q1XOl5087710>