Bug#895642: sqlite: snprintf wrongly used, path truncated

Fri, 13 Apr 2018 14:00:41 -0700 

Source: sqlite
Version: 2.8.17-14
Severity: serious

Compiling lemon.c with -Wall, leads to the following warning (among many
others):

| cc -g -O2 -fdebug-prefix-map=/tmp/sqlite-2.8.17=. -fstack-protector-strong 
-Wformat -Werror=format-security -DTHREADSAFE=1 -Wall -o lemon ./tool/lemon.c
| ./tool/lemon.c: In function 'pathsearch':
| ./tool/lemon.c:2724:37: warning: argument to 'sizeof' in 'snprintf' call is 
the same expression as the destination; did you mean to provide an explicit 
length? [-Wsizeof-pointer-memaccess]
|      if( path ) snprintf(path,sizeof path,"%s/%s",argv0,name);
|                                      ^~~~
| ./tool/lemon.c:2737:30: warning: argument to 'sizeof' in 'snprintf' call is 
the same expression as the destination; did you mean to provide an explicit 
length? [-Wsizeof-pointer-memaccess]
|          snprintf(path,sizeof path,"%s/%s",pathlist,name);
|                               ^~~~

Looking at the code, it comes from those lines:

|  char *path,*cp;
| ...
|    path = (char *)malloc( strlen(argv0) + strlen(name) + 2 );
|    if( path ) snprintf(path,sizeof path,"%s/%s",argv0,name);

and

|    path = (char *)malloc( strlen(pathlist)+strlen(name)+2 );
| ... 
|        snprintf(path,sizeof path,"%s/%s",pathlist,name);

The second argument of snprintf limits the number of byte written. While
the buffer path is allocated dynamically using malloc, the size passed
to snprintf is the size of the pointer, which is 4 or 8 bytes depending
on the architecture, resulting in a truncation of the path.

The issue is specific to the debian package and has been introduced by
debian/patches/02-lemon-snprintf.patch. The original code is correct
so the two corresponding hunk should be reverted.

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.15.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Reply via email to